Comparative Study on Legislative and Non Legislative Measures to Combat Identity Theft and Identity Related Crime: Final Report TR-982-EC NEIL ROBINSON, HANS GRAUX, DAVIDE MARIA PARRILLI, LISA KLAUTZER AND LORENZO VALERI June 2011 Prepared for DG Home Affairs Preface This document is the Final Report of a comparative study on legalislative and nonlegislative measures to combat identity theft and identity-related crime. It includes: • Chapters on the context and definitional understanding for a pan-European data collection exercise regarding the legal and non-legal measures aimed at addressing the challenge of identity theft. • Summaries of the countries covered as part of this study. • Analysis and conclusions from the overview of the evidence base above. • An Appendix with National Profiles for each country covered. This report represents a multi-stage ‘legislative and policy diagnostic’ intended to assess the validity and effectiveness of current EU Member States’ legal and non-legal responses to the particular public policy challenge of the emergence of identity theft. This is an increasingly prevalent form of criminality and, with increasing reliance on public and private identity infrastructures, a possible emergent risk to the growing information society. This diagnostic consists of an overview of the typology of conduct; a review of the existence and impact of current national legal and non legal means to address these forms of conduct; and finally the exploration of appropriate mechanisms to improve the situation. As such the data in this report, collected between March and May 2010, represent a snapshot of the situation in mid-2010. For more information about RAND Europe or this document, please contact: Neil Robinson RAND Europe Westbrook Centre Milton Road Cambridge CB4 1YG United Kingdom [email protected] +44(0)1223 353329 The views in this study are those of the authors and do not necessarily represent those of the European Commission ii Acknowledgements The authors would like to express their gratitude to Prof. Jos Dumortier and Dr. Barrie Irving for their helpful and thoughtful inputs to the study. In addition, the authors would like to extend their thanks to those present at an Expert Meeting on Identity Theft and Identity Management held in Brussels on 4-5th October 2010 who provided inputs and further guidance. iii Contents Preface ........................................................................................................................ ii Acknowledgements .................................................................................................... iii Summary .................................................................................................................. vii CHAPTER 1 Introduction .................................................................................... 1 1.1 The role of technology ....................................................................................... 2 CHAPTER 2 Overall concepts .............................................................................. 4 2.1 What is identity? ................................................................................................ 4 2.2 Is identity theft part of identity fraud? ................................................................ 5 2.3 Conclusions ..................................................................................................... 13 CHAPTER 3 A typology of identity-related crime............................................... 14 3.1 Options for classification and categorisation..................................................... 16 3.2 Identity-related crime for direct economic gain ................................................ 17 3.3 Relationship to other major forms of criminal activity...................................... 17 3.4 The means to perpetrate identity-related misuse ............................................... 18 CHAPTER 4 The consequences of identity-related crime.................................... 25 4.1 The economic costs of identity theft and identity fraud .................................... 26 4.2 Personal impact................................................................................................ 27 CHAPTER 5 Responses and mitigation: criminalisation and identity assurance ...................................................................................................... 29 5.1 How to approach criminalisation? .................................................................... 30 5.2 Prevention........................................................................................................ 30 5.3 Relevant supranational legislative norms........................................................... 31 5.4 Public-private international collaboration......................................................... 32 5.5 The European policy response.......................................................................... 32 5.6 National responses ........................................................................................... 35 5.6.1 Legislation........................................................................................... 35 iv 5.6.2 Non-legal responses ............................................................................. 35 CHAPTER 6 Conclusions ................................................................................... 37 CHAPTER 7 Country Summaries ....................................................................... 40 7.1 Australia ........................................................................................................... 44 7.2 Austria ............................................................................................................. 45 7.3 Belgium ........................................................................................................... 46 7.4 Bulgaria ........................................................................................................... 47 7.5 Canada............................................................................................................. 48 7.6 China ............................................................................................................... 49 7.7 Cyprus ............................................................................................................. 50 7.8 Czech Republic ................................................................................................ 51 7.9 Denmark ......................................................................................................... 52 7.10 Estonia ........................................................................................................... 53 7.11 Finland ........................................................................................................... 53 7.12 France ........................................................................................................... 54 7.13 Germany .......................................................................................................... 56 7.14 Greece ........................................................................................................... 57 7.15 Hungary .......................................................................................................... 58 7.16 India ........................................................................................................... 59 7.17 Ireland ........................................................................................................... 60 7.18 Italy ........................................................................................................... 61 7.19 Japan ........................................................................................................... 62 7.20 Latvia ........................................................................................................... 63 7.21 Lithuania ......................................................................................................... 64 7.22 Luxembourg..................................................................................................... 65 7.23 Malta ........................................................................................................... 66 7.24 The Netherlands .............................................................................................. 67 7.25 Poland ........................................................................................................... 68 7.26 Portugal ........................................................................................................... 69 7.27 Romania .......................................................................................................... 70 7.28 Russian Federation ........................................................................................... 71 7.29 Slovakia ........................................................................................................... 72 7.30 Slovenia ........................................................................................................... 73 7.31 Spain ........................................................................................................... 74 7.32 Sweden ........................................................................................................... 75 7.33 United Kingdom.............................................................................................. 77 7.34 United States ................................................................................................... 78 CHAPTER 8 Analysis.......................................................................................... 80 8.1 The legal perspective: a comparative overview of legislation.............................. 80 8.1.1 Legislation focusing explicitly on identity theft .................................... 80 8.1.2 Other offences applicable to identity theft incidents ............................ 85 v 8.2 8.3 8.4 Civil sanctions.................................................................................................. 90 Case law review with respect to identity theft ................................................... 91 8.3.1 Introduction........................................................................................ 91 8.3.2 Claiming a false identity online ........................................................... 91 8.3.3 Unlawfully using another person’s credentials ..................................... 94 8.3.4 Phishing .............................................................................................. 98 8.3.5 Using falsified identity documents to unlawfully apply for social benefits.............................................................................................. 101 8.3.6 Trafficking in unlawfully obtained personal information ................... 103 Identity theft reporting mechanisms ............................................................... 105 8.4.1 Introduction...................................................................................... 105 8.4.2 Ad hoc online and offline identity theft reporting mechanisms .......... 106 8.4.3 Generic reporting mechanisms .......................................................... 107 8.4.4 Other reporting mechanisms and informative sites ............................ 111 8.4.5 Cross-border collaboration and international reporting mechanisms....................................................................................... 112 CHAPTER 9 Conclusions and recommendations ............................................. 114 9.1.1 Key findings ...................................................................................... 114 9.1.2 Conclusions with respect to legislation .............................................. 115 9.1.3 Conclusions with respect to case law ................................................. 116 9.1.4 Conclusions with respect to reporting mechanisms............................ 116 9.2 Recommendations ......................................................................................... 117 REFERENCES ........................................................................................................ 121 Reference List ........................................................................................................... 122 Appendices.............................................................................................................. 125 Appendix 1: National Profiles................................................................................... 126 vi Summary Identity has been termed the ‘central organising principle’ of the information age. Undoubtedly, identity represents a currency for modern developed societies, and for developing economies it acts as a gateway to further economic growth. As far back as 1997, Peter G. Neumann was writing about a worrying rise in identity theft.1 Although he stated that computer access was not essential for identity theft, he identified that ‘remote, global, and possibly anonymous access’ would greatly increase these risks. Dr Collins, former director of the Michigan State University Identity Theft Partnership in Prevention programme and the Identity Theft Crime and Research Lab, warned that identity theft and not terrorism may be the crime of the future.2 Bruce Schneier, founder and CEO of Counterpane Internet Security, Inc, has called identity theft ‘the new crime of the information age.’3 However, identity theft not only targets online activities. The increasing importance of identity infrastructures in the delivery of public services or as part of border control measures attracts those looking for opportunities to exploit vulnerabilities as part of their own criminal enterprises. Forms of offline identity theft include passport forgery, the forgery of administrative and official documents and the collection of identity-related information from ‘dumpster diving’. Nonetheless, despite increasing media interest and concern expressed by experts there is still wide disagreement about what identity theft actually is. This is made worse by the complexity of understanding identity not as a property that cannot be stolen as such (since the use of information by one person does not generally deprive the other of its use), rendering the metaphor of identity ‘theft’ somewhat inappropriate and misleading. Some argue that identify theft is not a distinct crime in and of itself, and that it should mainly be dealt with in the context of its relationship to other (possibly unlawful) activities that may be facilitated by it. They argue that identity theft is part of identity fraud or a wider set of identity-related abuses. Others claim that the ubiquity of technology, coupled with globalisation, has led to the emergence of illegal identity ecosystems with criminals committing ‘thefts’ but not subsequently using these identities (for other illegal purposes), other than selling them to others. This, it is argued, means that identity theft should be a 1 Neumann (1997) 2 Collins (2003) 3 Schneier (2004) vii RAND Europe & time-lex Summary separately defined crime in order to effectively deal with this type of activity. Others still contend that the collection and/or sale of identities without lawful justification is already a crime in its own right, since it constitutes a violation of European data protection rules, and that the problem lies mainly in the effective enforcement of these rules. Notwithstanding this, there are a number of ways in which identity theft or fraud may be perpetrated, both with and without the use of technology. Examples include shoulder surfing, suborning corrupt officials, stealing physical blanks of identity documents (eg, credit cards or passports), phishing, pharming and hacking. These methods may all be used in a blended fashion to acquire or steal identity and use it for further purposes. The research described in our report indicates that economic gain is by far the most popular motivating factor for committing identity theft or fraud. Other types of criminal or illegal activity identified in the literature that may be facilitated by identity theft as a precursor activity include money laundering, various types of fraud (of which there are many), illegal immigration, personal vendetta, corruption and terrorism. This was recognised by Europol in its 2006 EU Organised Crime Threat Assessment report. The outcomes of identity-related crime include direct consequences for the individual and different types of stakeholder (eg, businesses and governments). There may be longer-term indirect consequences including the loss of trust that may occur as a result of abuse of identity infrastructures and the increased costs that may be passed onto consumers and citizens as a result of public and private sector organisations having to invest more in secure identity and authentication infrastructures. Direct consequences to the individual include the money that is stolen from them, the amount they have to pay in reconstituting their name, the loss of earnings or lost opportunity cost as a result of damage to reputation caused by becoming an identity theft victim, and time and effort spent in taking restorative action. Victims might also suffer opprobrium from being mistakenly associated with crimes where their identity was used for example, illegal immigration or terrorism. This might be exacerbated by false imprisonment and other consequences of not being able to clear their name. Addressing this challenge is unique as it sits astride the boundary between both the public and private sectors: incentives to solve or address problems are external to those most affected and there is no single ‘magic bullet’ that will eliminate the problem. Persistence, cooperation, coordination and communication will be necessary to overcome a multitude of barriers currently blocking effective solutions. These were all things highlighted by the European Commission’s own Action Plan to prevent fraud on non-cash means of payment (2004–07) which reflected that ‘identity theft is a cross sector problem, affecting governments, businesses and citizens... and is often linked to organised crime.’ There are interesting parallels between identity theft and efforts to address cybercrime. As with information technology, identity is both the target and the means of abuse. There are other parallels too, most notably in the transnational nature of identity theft and identity-related crime, the need for public and private sectors to work together, and the importance of ‘soft-law’ measures in addressing the problem. Indeed, it may be seen that reducing the opportunities available in the first instance, by the state encouraging citizens to take greater responsibility for their identities, consistitues an attractive route to addressing this type of malicious activity. There are also myriad definitional aspects to the challenge. viii RAND Europe & time-lex Summary Analysis In the three tables below we present an overview of the countries profiled in this study. Table 1, below, indicates which countries have specific criminal legislation dedicated to identity theft or have relevant provisions in other criminal law. It also shows where specific case law exists. Whether each country has a specific dedicated reporting point for identity theft crime is noted, as is the existence of public awareness campaigns. Table 1 Overall country comparison Country Specific ID theft Relevant law? provisions in criminal law? Case law? Australia Austria Belgium Bulgaria Canada China Cyprus Czech Republic Denmark Estonia Finland France Germany Greece Hungary India Ireland Italy Japan Latvia Lithuania Luxembourg Malta The Netherlands Poland Portugal Romania Russian Federation Slovakia Slovenia Spain Sweden United Kingdom United States ix Specific Public dedicated awareness reporting point? campaign? RAND Europe & time-lex Summary Table 2 Maximum and minimum available criminal sanctions Country Australia Austria Belgium Bulgaria Canada Sanction Maximum criminal sanction Up to 10 years (Criminal Code Part 7.3) Up to 10 years (Sec 148a StGB Penal Act) Minimum criminal sanction 1 year (Criminal Code Part 7.4) 3 months (Sec 108 Federal Act Enacting a Telecommunications Act - TKB - 2003) 15 days (Art 124 of Law of 13 June 2005) Up to 1 year (e.g. Art 319e Para 1 of Criminal Code) Up to six months (Section 342.01 Criminal Code) Czech Republic Up to 10 years (Article 196 Criminal Code) Up to 20 years (e.g. Art. 212 Criminal Code) Up to 14 years (Section 380(1) of the Criminal Code) Death (Article 192, 194 and 195 of Criminal Code) Up to 14 years (Part VIII of the Criminal Code. Section 333) Up to 12 years (Section 209 Criminal Code) Denmark Up to 6 years (Article 171 Criminal Code) 4 months (Act No 429 on the processing of personal data) Estonia Up to 1 year (Section 344) Luxembourg Malta Up to 5 years (Section 213 of the Criminal Code) Up to 4 years (Section 2 of Ch 33 of the Criminal Code) Up to 10 years (Article 441-4 Criminal Code) Up to 10 years (Section 263(1) Criminal Code) Life sentence (Article 1 of Law 1608/1950) Up to 10 years (Article 318 Criminal Code) Up to 10 years (Section 70, IT Act 2000 and 2008) Up to 10 years (Section 9 Criminal Justice (Theft and Fraud Offences) Act 2001) Up to 6 years (Art 497bis Criminal Code) Up to 10 years (Article 246 Penal Code) Up to 15 years (Section 177(1) Criminal Code) Up to 6 years (Section 2 of Article 196 of Criminal Code) Up to 10 years (Article 196 Criminal Code) 7 years (Article 308, Chapter 9 Criminal Code) The Netherlands 6 years (Article 255 Criminal Code) Poland Up to 8 years (Article 286 Section 1 Criminal Code) Up to 10 years (Article 4 Cybercrime Law; Law no. 109/2009) Up to 20 years (Art 215 Criminal Code) Up to 10 years (Article 159 Criminal Code) At least 3 months (Article 287 Section 1 Criminal Code) Up to 15 years (Article 221 Criminal Code ) Up to 10 years (Article 211 Criminal Code) Up to 8 years (Article 399bis Criminal Code) 6 years (Chapter 9 Section 3 Penal Code). Up to 10 years (Fraud Act 2006) At least 6 months (Article 226 Criminal Code) At least 3 months (e.g. Article 237 Criminal Code) At least 3 months (Article 392, no. 2) 6 months (9 Section 2 Penal Code) 12 months (Section 2. Computer and Misuse Act 1990 as amended by Police and Justice Act 2006) Up to 1 year (Section 2701-2711 Criminal Code) China Cyprus Finland France Germany Greece Hungary India Ireland Italy Japan Latvia Lithuania Portugal Romania Russian Federation Slovakia Slovenia Spain Sweden United Kingdom United States Life imprisonment (Title 18 Section 1030 US Criminal Code) Up to three years (Art 23bis of Criminal Code) At least 2 years (Section 10 of law of 2004 ratifying Cybercrime convention) 6 months (Section 232 (1) (a) or (b) of The Criminal Code) At least 4 months (Section 2 of Ch 36 of Criminal Code) Up to 1 year (222-16-1 Criminal Code) Up to six months (Section 269 (3) Criminal Code) 3 months (Section 370C(2) Penal Code) Up to 1 year (Article 276 Criminal Code) Up to three years (Section 66 A IT Act 2000, 2008) Up to 3 months (Section 5 Criminal Damage Act 1991) At least 6 months (Article 640 Criminal Code) At least three months (Art. 258 Penal Code) Up to 2 years (Section 145 Law of 23 March 2000) Up to 2 years (Art. 198(2)) At least 8 days (Article 231 of the Criminal Code) Not exceeding 20 days (Article 308, Chapter 9 Criminal Code) Maximum 1 month (Section 1 Article 350b Criminal Code) At least 6 months (Article 256 Criminal Code) At least 3 months (Article 291 Criminal Code) Up to 3 months (Article 325 Criminal Code) Table 2, above, indicates the maximum and minimum criminal sanctions available from criminal law provisions in each country. x RAND Europe & time-lex Summary Country Australia Austria Belgium Bulgaria Canada China Cyprus Czech Republic Denmark Estonia Finland France Germany Greece Hungary India Ireland Italy Japan Latvia Lithuania Luxembourg Malta The Netherlands Poland Portugal Romania Russian Federation Slovakia Slovenia Spain Sweden United Kingdom United States Online Online Online Online None None None None None Offline Online None None Online None Offline Offline Online None Online Online None Online Online None Offline None Online None None None None Online Online n/a n/a n/a n/a n/a Feedback All crime ID theft Dedicated off/online portal? Table 3 Reporting mechanisms n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a Table 3, above, illustrates in further detail the existence of reporting mechanisms, whether they are on- or offline, and whether they cover identity theft specifically or all forms of crime. Finally, the table illustrates whether there is a feedback mechanism for keeping the victim or individual who made the report appraised of the progress of the case. xi RAND Europe & time-lex Summary Conclusions In attempting to categorise identity-related crime, there are a number of dimensions which may be relevant, including: the role of information technology in the commission of the activity; the mechanisms used to obtain or fabricate identity information; the types of identity information and stakeholder targeted; and the resultant use that identity information is put to (for example, defamation or character assassination, crimes against persons, infiltration of organisations for espionage, sabotage, terrorism, drug smuggling, money laundering, illegal immigration, etc.). Furthermore, identity-related misuse/crime can be categorised according to its purpose (related to, but different from consideration as to whether it is fraud or a separate distinct form of criminality as described above). In any respect, the most popular motives for the use of stolen identity documents are financial, and include obtaining and using credit, procuring cash and fraudulent loan applications. When examining how countries attempt to address identity theft and identity-related crime from a policy perspective, the central conclusion of this study is that there exists a fair amount of difference. A minority of countries, most obviously the United States, have enacted specific identity theft legislation. Others, such as Canada or France, address the problem by dealing with precursor activities through the prism of criminal law. On the whole, however, out of the countries studied there exists little specific identity theft or identity-related crime law, with most using existing fraud or forgery legislation. This brings us to the problem of where best to intervene, since the cross-border potential of these forms of misuse (especially where identity theft and identity-related crimes are linked to organised crime, money laundering or terrorism) requires concerted action amongst Member States but also at the EU level. The complexities of bringing into force a single pan-European instrument are not insignificant. As Chapter 1 shows, a generally agreeable definition of identity theft remains elusive amongst practitioners, experts and academics. It seems that many on the front line take the view that ‘we know it when we see it’, but of course this approach has its limits: whilst it may be sufficient for police and operational level coordination, cross-border cases require a rather clearer understanding. Furthermore the absence of a clear definition makes the collection of statistics (necessary to appropriately tailor any response) difficult. Nonetheless, the evidence presented in this report indicates that key policy priorities should revolve around the sharing of best practices and improving communication. The latter should apply both to exchanges between victim and investigator, and between investigators in different Member States. Setting up one-stop shops is a key part of the solution, as these allow identity victims to more easily report identity crimes, and can also act as a communications device to enable investigators to keep the victims updated on the status of specific investigations. Indeed, such an approach is reflected in the Stockholm Programme, where the European Commission was invited to take measures to enhance/improve public-private partnerships. The study has identified several good practice examples of such one-stop shops in Member States. A second pivotal point is the collaboration between national investigative bodies through an EU contact network, as is foreseen in Council Framework Decision 2005/222/JHA, at least for electronic identity theft, and in the Council Conclusions of March 2010 on xii RAND Europe & time-lex Summary implementing a concerted strategy to combat cybercrime, which envisages a variety of softer measures such as: • The consolidation and if necessary updating of the functions of the European Cybercrime Platform (subsequently elaborated in the remit of Europol’s European Union Cybercrime Task Force and the Internet Crime Reporting Online System (ICROS). • Foreseeing a permanent liaison body with user and victim organisations and the private sector. These should facilitate interactions at the European level, which would improve the effectiveness of European-scale investigations, with the additional benefit that such experiences could be extended to other categories of criminal investigations. Further down the road, it is equally important to extend this approach to other countries (as foreseen in the Convention on Cybercrime), which will require renewed policy attention on this point. Finally, identity theft also clearly faces the challenge of policy priority. This is not a matter of putting in place suitable legislation (which law applies) or addressing operational challenges (who to talk to in international investigations), but simply a matter of prioritisation: which cases of identity theft are worth investigating and prosecuting? The question is not trivial: especially in international cases with an Internet component (eg, the creation of false identities to enable fraud), investigations can be complex and very time consuming, and as a consequence also very expensive. The country reports identified several instances where cases were not followed up on, simply because of a real or perceived disproportion between the harm suffered by the victim and the resources required to take action (especially considering the uncertainty of the outcome beforehand). This is, however, a challenge which applies to most categories of international crime, especially those conducted via the Internet, where traces are often easier to hide by a skilled criminal. Here, too, a common position needs to be found at the international level, since differences in investigation and prosecution priorities between countries will only lead to investigations in one country being blocked if they are not considered important enough by investigators in a second country. In summary, the reports have identified that there is indeed some variation between the examined countries in the classification of identity-related crimes and their follow-up in practice. However, and more importantly, this lack of common criminalisation rules does not seem to be the key problem in effectively addressing identity theft challenges, as any examined incident of identity theft is conceivably covered by one or (in most cases) more possible criminal classifications. In theory, the European data protection rules (ie, a qualification as unlawful processing of personal data) could act in this respect as a convenient catch-all safety net for incidents with an otherwise unclear legal status, with the added benefit of being common at the EU level. However, while the collected evidence shows that data protection rules could play this unifying role in theory, it should also be duly acknowledged that the reality is much different. Data protection rules are only rarely applied to cases of identity theft in practice, as can been seen in the examined case law. Enforcement of data protection rules is thus not likely to be an effective strategy to address xiii RAND Europe & time-lex Summary identity-related crime, unless the emphasis on enforcement of these rules is improved significantly. In that light, it is not surprising that some countries have chosen to introduce further qualifications with respect to identity theft, either as a matter of national preference or with a view to ensuring that identity theft is given a higher priority. While the lack of a common criminalisation framework does not appear to be the primary barrier to effectively combat identity-related theft (at least not more so than for other types of crime), cooperation between countries in the course of investigations and actual followup of reported cases is an issue. The country reports show that interactive online reporting mechanisms are not yet prevalent, and that their functionality (when available) is generally limited. Even when they allow victims to register complaints, the follow-up of the complaint is in many cases unclear, and correspondents for the surveyed countries frequently noted that investigations into specific incidents were not treated as a high priority or closed relatively quickly when damages were unclear or perceived to be limited. Whether or not a reprioritisation is required in this respect is, of course, mostly a policy issue. However, it does seem clear that a more effective response to identity theft incidents requires two areas to be addressed as a priority. Firstly, cross-border criminal investigations should be streamlined, both at the EU and international levels, building on the legal frameworks that have already been mentioned. This requires more effective communication between national investigative authorities, and preferably also a consensus on which cases will be considered a priority for investigation, in order to avoid wasted resources. Secondly, the reports show that reporting mechanisms (when available) are generally perceived as useful by the victims, provided that they indicate clearly how complaints will be processed, and most importantly that the victim receives follow-up communication indicating what the status of a specific complaint is. Such reporting mechanisms (or more accurately communication mechanisms, since feedback is required) can be implemented building on existing good practices identified in certain Member States. Finally, the frequent use of such reporting mechanisms would also support the more systematic collection of statistical data on identity theft and identity-related crime, including the prevalence of specific categories of identity theft and identity-related crime, their consequences to the victim, and possibly the outcome of any investigations. Such data are currently largely unavailable at the national level, and mostly incomparable at the European level even when they exist. Improving the availability of statistical data would improve awareness of identity theft and identity-related crime risks, increase know-how, and facilitate policy making at the national and European level, if implemented in a sufficiently homogeneous way across the Member States. Based on this approach, reporting of identity theft incidents could be improved, as could the follow-up of complaints and the effectiveness of international investigations. In summary, our study illustrates that in many EU Member States, despite the absence of a single pan European instrument governing identity theft, there is no clear evidence of any significant gaps in legislative responses. However, there remain a number of challenges in respect of implementation and interpretation of existing laws with respect to identity theft, most notably the applicability of existing rules with varying sanctions to identity theft xiv RAND Europe & time-lex Summary incidents, and the disparities observed in non-legal responses (e.g. presence of and efficacy of reporting points, awareness campaigns and so on) which arguably are, as the UNDOC report illustrates, potentially more viable routes to addressing these forms of misuse. Understanding the implications of any European intervention to address these issues might thus best be served through further research into the costs and benefits of different options for addressing identity theft and identity related crime (an exercise outside the scope of this exercise), for example through a more formal regulatory impact assessment. Structure of the remainder of this report The rest of this document is structured in the following way: Chapter 1: Introduction and Chapter 2: Overall concepts discuss the general factors that impinge upon identity theft and identity-related crime, giving a definition of identity and exploring some of the characteristics of the misuse of identity-related information (including whether identity theft should be considered as part of identity-related fraud or separately). A number of interesting conceptual frameworks are presented which illustrate the definitional complexities inherent in this field. Chapter 3: A typology of identity-related crime gives a more detailed summary of different attempts in the literature to define the means by which identity theft takes place in both the online and offline worlds. This chapter also reflects on the use of identity theft as a precursor activity to the commission of other forms of crime such as corruption, fraud, terrorism and money laundering. Chapter 4: The Consequences of identity-related crime presents a framework for understanding the direct and indirect personal and organisational consequences of identity theft, ranging from the costs to rectify the direct damage caused to broader socio-economic consequences (such as damage to society, loss of trust and transferred costs that those responsible for identity infrastructures may pass on to the consumer or citizen). Chapter 5: Responses and mitigation talks about criminalisation, legal efforts and identity assurance as the main means by which the challenges associated with identity theft and identity-related crime might be addressed. Chapter 6: Conclusions, brings together the findings of the previous chapters from the analysis of the state of the art. Chapter 7: Country summaries contains short outlines of each national country profile contained in the separate D2: Interim Report: National Country Profiles. Chapter 8: Analysis lays out our impressions from the country profiles in a structured format, and Chapter 9: Conclusions and Recommendations explains how these impressions lead us to the recommendations as summarised above. xv CHAPTER 1 Introduction In this introduction we highlight the growing importance of identity, establish the conceptual differences between identity and personal data and discuss some important overarching issues relating to the drivers of the emergence of identity theft and identityrelated misuse. Identity is everywhere and a universal property. Governments and nation states rely upon identity to identify and verify citizens and for ‘key aspects of governance’ including national security and crime (via the identification of criminals and terrorists) but also immigration and taxation. The private sector and individuals also use identity for banking, property ownership and a wide range of other transactions. Identity is more than a document. It may take the form of a set of information and documentation (some of which may be paper and have specific legal status while others might be in electronic form) that can be used to establish who we are as unique individuals and also link to other information about us. The criminal misuse of identity is a major concern precisely because of its universal and ubiquitous nature, and because of its pivotal role in structuring societal interactions. The use of identity-related information by public and private sectors, while not new, has been catalysed by a range of trends including the emergence and popularity of technology such as the Internet, cheap computing and broader societal trends including mobility, globalisation and cheaper air travel. Technology has brought about new vulnerabilities – especially via unsecured personal computers – and made existing identity infrastructures more vulnerable (eg, by facilitating document forgery). Many have argued that this constitutes technology enabled crime, whether the technology is being used to perpetrate offline forms of identity crime (eg, via the use of high quality printers) or is conducted entirely online (eg, via phishing). Technology is a double-edged sword: it both changes and makes more efficient and effective the way in which identity can be established, but also has similar effects on the way identity can be abused. Some have said that technology has ‘centralised’ identification infrastructures and concentrated data.4 Technology also permits new and sophisticated methods of committing existing crimes, such as through the use of the Internet to perpetrate advance fee fraud or the distribution of fake phishing emails in order to dupe individuals into divulging personal data. The increased mobility of 4 Chryssikos et al. (2008) 1 RAND Europe Chapter 1 Introduction individuals, facilitated by cheap air travel, also presents further opportunities for immigration-related fraud, passport forgery and abuse of travel-related identity documentation. Economic globalisation, meanwhile, renders public and private identity infrastructures more complex and transnational, resulting in an expansion of the playing field for those looking to exploit loopholes. Thus, although transnational fraud (inextricably linked to the canon of identity-related crime) is an old problem, it has been increasingly expanded in scope by economic globalisation and supporting technologies. These risks and vulnerabilities are not only characteristic of developed countries, however. Although developing countries may rely more on paper-based identity documents, technology has rendered these vulnerable and the drivers for migration also present rich opportunities for criminals looking to deceive expectant migrants looking to move to a perceived ‘better life’. 1.1 The role of technology Technological advances and the broad uptake of their new applications can have a significant impact on the way identity crimes are committed and the targets that they are committed against, as well as on the prevalence of identity crimes and the type of skills used by the offender. Technological capacity (eg, the ability to store large amounts of data at remote locations or on portable devices) means that more information of the type necessary to commit an identity crime may be digitised and stored and therefore available to (legal or illegal) access. Not only may the information necessary to commit identity crime be more widely available, it may also be easier to gain access to information to commit identity crime by using the characteristics of targets (eg, Internet users might become easier targets). Choo et al. present a useful overview of future directions in technology-enabled crime for the Australian Government’s Institute of Criminology where they highlight that developments in digitisation, along with globalisation, the emergence of payment and funds transfer systems and the growth of e-government are all driving various forms of technology enabled crime (a term which by implication includes some of the more popular forms of identity theft and fraud).5 Criminals also seem to be what is known in the business world as ‘early adopters’, individuals who are taking up new technologies and creatively applying them for their own purposes. Consequently, some authors have postulated that new technologies will benefit criminals more while law enforcement will always lag behind, trying to catch up.6 The 2003 Cyber Trust and Crime Prevention (CTCP) study concluded for the UK Foresight office also described the way in which criminals might take advantage of technological developments and explored what technological solutions might be available to reduce these risks and encourage trust in identity infrastructures.7 5 Choo et al. (2007) 6 Savona & Mignone (2004) 7 Cyber Trust and Crime Prevention (2004) 2 RAND Europe Chapter 1 Introduction Specific technological developments that might have an impact on identity theft include the increasing use of high-speed connectivity (wireless technologies such as WiFi, and 3G radio technologies) and the decreasing cost and size as well as increasing processing power of microprocessors. These help to enable identity infrastructures allowing more efficient processing of identity-related information via the transmission and reception of such credentials in digitised form. Furthermore, increasingly powerful microprocessors permit more and more complex forms of identification to take place. The decreasing cost, size and increasing capacity of storage devices (such as USB sticks and solid state disk drives) is another driver as it facilitates more and more storage of digitised identity-related information.8 8 Cave, J., et al. (2010) 3 CHAPTER 2 Overall concepts In this chapter we present overall definitions of identity and explore some of the characteristics of the misuse of identity-related information such as identity theft, identityrelated fraud and identity crime. 2.1 What is identity? Identity may be defined as ‘the individual characteristics by which a thing or person is recognised or known’.9 A more precise definition is the subject of much philosophical thought – identity can be thought to be related to whether an entity is self aware. Others have argued that the idea of identity changes over time or in relation to events.10 Identity information has been recognised as the currency of the modern developed society: a ‘central organising principle’11 around which the public and private sector increasingly organises itself and which generates economic growth, value and efficiency. The defining qualities of identity in the current era, where a seemingly infinite amount of information is held electronically or is available online, have been summarised by the Joint Research Centre of the European Commission as follows: Each person has a unique identity, but in the digital age, many pseudo identities exist, and these may be artefacts of a person or elements of a piece of hardware or software or even an organization. Other qualities, including the actions of persons, can be attached or linked to their identity, and people do not need to divulge their identity for all transactions.12 The increasing complexity associated with understanding who one is really dealing with in any one transaction is thus the chink through which offenders and criminals can abuse identity information. 9 Definition by WordNet Search 3.0. As of 25 January 2011, available at: http://wordnetweb.princeton.edu/perl/webwn 10 Olsen (2002) 11 Madeline, J., Speech to the 2005 Annual Symposium of the Information Assurance Advisory Council 12 Mitchison et al. (2004) 4 RAND Europe & time-lex 2.2 Chapter 2 Overall concepts Is identity theft part of identity fraud? In 1994, Roger Clark wrote that: Human identity is a delicate notion which requires consideration at the levels of philosophy and psychology. Human identification, on the other hand, is a practical matter. In a variety of contexts, each of us needs to identify other individuals, in order to conduct a conversation or transact business.13 Based on this distinction between the vague and multifaceted concept of ‘identity’ compared to the more applied problem of ‘identification’, the use of the term ‘identity’ in conjunction with ‘theft’, ‘fraud’, ‘crime’ or similar terms has undergone some criticism.14 However, when ignoring the conceptually easier to define and seemingly more correct usage of ‘identification’ instead of ‘identity’, the next question is the definition of ‘identity theft’, ‘identity fraud’ and ‘identity crime’. The less commonly used ‘identity crime’ (or even ‘identity-related crime’) might be terminology-wise more sound. Indeed this was the approach taken by the UN ISPAC in a major international conference in 2007. The difficulty of linking the relatively well understood legal definition of ‘theft’ to a information-centric concept of ‘identity’ is because the informational characteristics of identity (non-exclusivity) renders the assignment of the status of property (and hence theft) complex; because one person is falsely using the identity of the other does not necessarily mean that the victim is deprived of his or her identity. Legal definitions of the constructs of theft and fraud may thus have an impact when considering the use and definition of ‘identity theft’ and ‘identity fraud’. As pointed out in the FIDIS report on the Dutch Penal Code (and this applies to many other criminal codes in the world) theft requires the loss of possession of tangible goods; consequently the applicability of the concept of theft with respect to identity might be limited. Usage of the notion of ‘theft’ may also undermine the reality that there is not only a criminal but also a civil aspect to identity theft/fraud that may bring with it a tort liability for damages.15 Indeed, it may be more a question of interfering with the exclusivity of identity and the rights and obligations related to it within our societal system. Broadly defined, ‘identity crime’ would cover any crime that involves the fraudulent use of identity information, whether that information refers to an actual (living or deceased16) natural person, an existing organisation (ie, a legal person), or to a fictitious person. Abusing identity information would in turn entail falsifying it, ‘stealing’ it, or accessing it unlawfully by other means. The International Scientific and Professional Advisory Council (ISPAC) of the United Nations Crime Prevention and Criminal Justice Programme remarked in its 13 Clark (1994) 14 Sproule & Archer (2007) 15 FIDIS (2006) 16 ‘Stealing’ the identity and sometimes the societal role of a dead person, who is not widely known to be deceased, is called ‘ghosting’ 5 RAND Europe & time-lex Chapter 2 Overall concepts report from the 2007 International Conference on ‘The evolving challenge of identityrelated crime: addressing fraud and the criminal misuse and falsification of identity’ that: Different terms such as identity theft and identity fraud are used in various jurisdictions to describe the same conduct and in additional there is a lack of concerted action to combat such conduct.17 Indeed, in the remainder of its report and discussions, the term ‘identity-related crime’ was subsequently agreed upon. Given the prevalence of the terms ‘identity theft’ and ‘identity fraud’18 (which perhaps may be recognised as different aspects of identity-related crime) their relationship and definition will be essential for any research in this area. The difficulty that the lack of a commonly accepted definition of ‘identity theft’ and ‘identity fraud’ poses for statistical comparisons, research purposes, and policy formulation has been stressed by several authors such as Koops & Leenes,19 Sproule & Archer,20 and in the World Privacy Forum’s report on medical identity theft.21 There are a number of different ways in which the relationship between the terms ‘identity theft’ and ‘identity fraud’ can be viewed22: • • • Identity theft and identity fraud are frequently used interchangeably in media and public awareness reporting (often in blogs and websites) Identity theft as the initial activity that is followed up subsequently by identity fraud Identity theft as a subset of identity fraud23 Examples of those that treat identity theft as the initial activity followed by identity fraud include Collins, who indicates that: Identity theft, however, is to be distinguished from identity crimes – those offences committed using the stolen personal or business identifying information – or ‘identities.’ Thus, the conceptual relationship between identity theft and identity crime is that the former facilitates the later. In short, stolen identities are used to commit many other crimes which is why identity theft also can be viewed as an all-encompassing or 17 Chryssikos et al. (2008) 18 As of 25 January 2011, the term ‘identity theft’ has 22.5 million Google and 23,500 Google Scholar hits, followed by 324,000 Google and 3,590 Google Scholar hits for ‘identity fraud’, and by 82,300 Google and 373 Google Scholar hits for ‘identity crime’ 19 Koops & Leenes (2006) 20 Sproule & Archer (2007) 21 World Privacy Forum (2006) 22 Sproule & Archer (2007) list another distinction that is commonly used in the US banking industry. This differentiation views ‘identity theft’ as a subset of ‘identity fraud’, with identity theft describing fraud linked to the opening of a new account using someone else’s identity, while identity fraud is the use of an existing account by an unauthorized person 23 See Koop & Leenes (2006) and FIDIS (2006) 6 RAND Europe & time-lex Chapter 2 Overall concepts overarching megacrime… Personal identity theft is the unauthorized acquisition of another individual’s personally sensitive identifying information: personal identity crime is the use of such information to obtain credit, goods, services, money, or property, or to commit a felony or a misdemeanour… The theft and the crime are two different offences, each with its own structure of penalties and fines.24 This indicates that the questions of complementarity or independence of the notion of ID theft remains unresolved and needs to be tackled: in other words, it is pivotal to assess whether or not ID theft can be considered as a crime as such (even if the stolen identity is not used for other illegal purposes), or to the contrary whether ID theft may exist only against the backdrop of a bigger criminal intent, called ‘megacrime’ by Collins. A consultation that took place in 2004 as part of the Canadian government’s efforts to design new legislation proposed a ‘double-branched’ definition of identity theft. This required splitting it into two stages: a pre-attempt or preparatory stage of ‘acquiring, collecting and transferring personal information and a subsequent stage as the actual use of personal information in the attempt or actual commission of an offence’. This is ultimately characterised as a continuum of criminal behaviour which starts with identity theft and finishes with identity fraud.25 This ‘preparatory act’ approach is also used by the US Identity Theft and Assumption Deterrence Act. While acknowledging the advantage of a flexible and broad definition for law enforcement, Sproule & Archer regard this as being too broad for research purposes.26 Finally, a 2005 report from Javelin used the term ‘identity theft’ to describe unauthorised access to personal information and ‘identity fraud’ as the use of that information to achieve illicit financial gain. Indeed, one can occur without the other: identity information may be stolen from a corporate data centre and then posted (yet not sold) on the criminal underground on the Internet and similarly relatives may be given access to PIN numbers to act via proxy yet then misuse these numbers for their own benefit.27 By comparison, in understanding and treating identity theft as a subset of identity fraud, Lacey & Cuganesan define identity theft as an activity involving an individual ‘falsely representing him or herself as another real person for some unlawful activity’ while ‘identity fraud comprises both the use of a real person’s identity (identity theft) as well as that of a fictitious identity’.28 Gordon et al. indicate that for them, identity fraud ‘is defined as the use of false identifiers, fraudulent documents, or a stolen identity (identity theft) in the commission of a crime… Identity fraud is broader than identity theft in that identity fraud refers to the fraudulent use of any identity, real or fictitious, while identity theft is limited to the theft of a real person’s identity’.29 It is clear that to these authors, as 24 Collins (2005) [cited in Sproule & Archer (2007)] 25 Canadian Department of Justice (2006) [cited in Sproule & Archer (2007)] 26 Sproule & Archer (2007) 27 Javelin (2005) [cited in Sproule & Archer (2007)] 28 Lacey & Cuganesan (2004) 29 Gordon et al. (2004) 7 RAND Europe & time-lex Chapter 2 Overall concepts well as for the abovementioned sources, ID theft is not necessarily an independent crime. Rather, it may exist only in conjunction with other illegal behaviours, so that ID theft should be considered as being complementary to crimes such as fraud, corruption, terrorism, etc. Some definitions of identity theft, such as that proposed by the Organisation for Economic Co-operation and Development (OECD), focus upon an act in which an existing (natural or legal) person’s information is used in connection with a crime: ‘[identity theft is] when a party acquires, transfers, possesses, or uses personal information of a natural or legal person in an unauthorised manner, with the intent to commit, or in connection with, fraud or other crimes.’30 By contrast, Grijpink’s understanding covers the use of identity theft based on the creation of a fictitious person: ‘Someone with malicious intent consciously creates the semblance of an identity that does not belong to him, using the identity of someone else or of a nonexistent person’.31 The 2006 EU Future of Identity in the Digital Society project further develops these intricacies in its conceptual framework for identity-related activities shown in Figure 1.32 Figure 1 Conceptual framework of identity-related activities In this framework, identity theft is presented as a subset of identity fraud. The FIDIS study also emphasises that not all identity-related activities are unlawful; there are lawful identity changes, including public sketch situations like practical jokes with a hidden camera where an actor assumes a different role. Koops & Leenes, referring to a similar framework like the FIDIS report, highlight that when tackling identity-related crimes (which they see as a wider umbrella term) lawmakers and law enforcement agencies have to take into account not only situations where the use of another person’s identity happens without the person’s consent but also when it 30 OECD (2008) 31 Grijpink (2003), p.148 32 FIDIS (2006) 8 RAND Europe & time-lex Chapter 2 Overall concepts happens consensually yet unlawfully.33 Such a situation can occur if an unlawful identity delegation or exchange harms a third party. Definitions can vary also with respect to the identifiers used. While, for example, the UK Cabinet Office defines identity fraud as the case where ‘someone takes over a totally fictitious name or adopts the name of another person with or without their consent’, and thus refers only to the use of a name (fictitious or existing), most other definitions are not restricted in this respect.34 There are also domain-specific definitions such as the definition of identity fraud by the Dutch Ministry of Justice as ‘forms of misuse or fraud with respect to identity and identity data, with which a person or a group of persons intends unlawfully to claim government services, or otherwise to derive a benefit unlawfully’35 – in this interpretation, ID theft is thus complementary to the commission of fraud Another more domain-focused definition of identity theft is provided by the World Privacy Forum. It characterises medical identity theft as ‘theft [that] occurs when someone uses a person's name and sometimes other parts of their identity – such as insurance information – without the person’s knowledge or consent to obtain medical services or goods, or uses the person’s identity information to make false claims for medical services or goods. Medical identity theft frequently results in erroneous entries being put into existing medical records, and can involve the creation of fictitious medical records in the victim’s name.’36 Table 4, below, provides a comparative overview of definitions from a number of different sources: 33 Koops & Leenes (2006) 34 UK Cabinet Office (2002) 35 Dutch Ministry of Justice (2003) 36 See (as of 25 January 2011): http://www.worldprivacyforum.org/medicalidentitytheft.html 9 RAND Europe & time-lex Chapter2: Overall concepts Table 4 Comparative overview of defintions Source (a) Identity crime / identity-related crime (b) Identity theft US Identity Theft and Assumption Deterrence Act Whoever knowingly transfers or uses, without lawful authority, a means of identification of another person with the intent to commit, or otherwise promote, carry on, or facilitate any unlawful activity that constitutes a violation of federal law, or that constitutes a felony under any applicable state or local law. OECD (2008) ID theft occurs when a party acquires, transfers, possesses, or uses personal information of a natural or legal person in an unauthorised manner, with the intent to commit, or in connection with, fraud or other crimes. UK Home Office Identity Fraud Steering Committee (available at: http://www.identityth eft.org.uk/identitycrimedefinitions.asp) This is a generic term for identity theft, creating a false identity or committing identity fraud. This occurs when sufficient information about an identity is obtained to facilitate identity fraud, irrespective of whether, in the case of an individual, the victim is alive or dead. Identity theft can result in fraud affecting consumers' personal financial circumstances as well as costing the government and financial services millions of pounds a year. Identity theft is also known as impersonation fraud. It is the misappropriation of the identity (eg, name, date of birth, current or previous addresses) of another person without their knowledge or consent. UK Cabinet (c) Identity fraud (d) Other This occurs when a false identity or someone else’s identity details are used to support unlawful activity, or when someone avoids obligation/liability by falsely claiming that he/she was the victim of identity fraud. False Identity: This is a) a fictitious (ie, invented) identity, or b) an existing (ie, genuine) identity that has been altered to create a fictitious identity. Identity fraud involves the use of an individual or a company’s identity information to open accounts, fraudulently obtain social security benefits, (in the case of individuals), apply for credit and/or obtain goods and services. Identity fraud can be described as the use of that stolen identity in criminal activity to obtain goods or services by deception. Stealing an individual’s identity does not, on its own, constitute identity fraud and this is an important distinction. ID fraud arises when someone takes over a totally fictitious name or adopts the name of Office (2002) 10 RAND Europe & time-lex Chapter 2 Overall concepts another person with or without their consent. UK’s Fraud Prevention Center (CIFAS) (available at: http://www.cifas.org. uk/default.asp?edit_ id=566-56) Mitchinson et al. (2004) (JRC of the European Commission) Identity theft (also known as impersonation fraud) is the misappropriation of the identity (such as the name, date of birth, current address or previous addresses) of another person, without their knowledge or consent. These identity details are then used to obtain goods and services in that person's name. Identity fraud is the use of a misappropriated identity in criminal activity, to obtain goods or services by deception. This usually involves the use of stolen or forged identity documents such as a passport or driving licence. The term “identity theft” is widely used in the United States, and not so widely in Europe. The paradigm case of identity theft seems to be: • a rogue finds out some facts about, or acquires some documents belonging to, the ‘victim’ • he then uses these facts or documents to contact various organisations pretending to be the victim • under these pretences, he either acquires control of the assets of the victim, or carries out acts with negative legal or financial consequences, which he misdirects to the victim. Dutch Ministry of Justice, ‘Hoofdlijnen kabinetsbeleid fraudebestrijding 2003-2007’, 24 June 2003 Perl (2003) Identity fraud concerns forms of misuse or fraud with respect to identity and identity data, with which a person or a group of persons intends to unlawfully claim government services, or to otherwise unlawfully benefit himself. Identity theft is ‘the theft of identity information such as a name, date of birth, Social Security Number,E credit card number,’ (Hoar 2001) or any other personal identification information in order to obtain ‘loans in the victim's name, steal money from the victim's bank accounts, illegally secure professional licenses, drivers 11 Criminal record identity theft occurs when the identity thief obtains a victim’s personal information and then commits crimes, traffic violations, or other illegal activities while acting as the victim. Instead of providing law enforcement with her own personal information, the identity thief RAND Europe & time-lex Chapter 2 Overall concepts licenses, and birth certificates,’(Sabol 1999) or other unauthorized use of the victim's personal information for financial or other activity. Koops & Leenes (2006) Grijpink (2003) (followed also in FIDIS (2006)) Identity-related crime concerns all punishable activities that have identity as a target or a principal tool. Identity theft is fraud or another unlawful activity where the identity of an existing person is used as a target or principal tool without that person’s consent. Someone with malicious intent consciously creates the semblance of an identity that does not belong to him, using the identity of someone else or of a non-existent person. 12 provides the victim’s personal information in order for the identity thief to avoid criminal convictions and legal sanctions in her own name Identity fraud is fraud committed with identity as a target or principal tool. (Fraud: ‘procuring, without right, an economic benefit for oneself of for another person.’) RAND Europe & time-lex 2.3 Chapter2: Overall concepts Conclusions Given the choice of possible definitions it might be perhaps better to decide on the relevant features that any such (working) definition should provide for. An example list of characteristics of identity theft is provided by the FIDIS report.37 We propose to apply this conceptual framework in the present report as well, as the FIDIS definition appears to be comprehensive and sufficiently well structured to cover, from a pragmatic perspective, all the different sorts of misuse envisaged. Furthermore, the FIDIS definition was arrived at after a long consensus building process amongst a coherent (albeit small) community of academics. The FIDIS description states that identity theft must exhibit the characteristics of: malicious intent; conscious action; creation of a semblance; use of a third party or ‘other’ identity not belonging to the perpetrator; use not merely possession of the acquired identity; and finally that identity theft can involve existing and non-existing identities. Nonetheless, the use of working definitions at the operational level represents a level of cooperation generally not present in the legal domain. Indeed, it may well be the case that addressing the policy challenges associated with identify theft and identity-related crime are best undertaken using a pragmatic approach. Against the abundance of definitions and the blurry lines that separate each definition, identifying those used in different jurisdictions is essential to establish useful international cooperation. 37 FIDIS (2006) 13 CHAPTER 3 A typology of identity-related crime In this chapter we build upon the understanding of identity and identity-related crime (including pure theft but also the onward use of stolen or fabricated identities to commit other crimes) described in Chapter 2 to elaborate on the different technical approaches, whether they be offline or online. Following their analysis of the different potential relationships between identity theft and identity fraud, Sproule & Archer settle for a definition of identity-related crime where identity theft constitutes the initial activity which may be subsequently followed up by identity fraud.38 This approach is also generally supported by the conclusions of the ISPAC 2007 conference, which indicated that such a ‘catch all’ concept was a valid way to capture the full range of identity-related crime.39 In this model, activities to develop a false identity, like document breeding, counterfeiting or ID trafficking, can occur as intermediate steps before committing the crime that the identity theft is aimed to enable (see Figure 2). In this framework, ID theft plays a role as a preparatory activity for the commission of other crimes. Figure 2 Identity theft and identity fraud framework40 38 Sproule & Archer (2007) 39 Chryssikos et al. (2008) 40 Sproule & Archer (2007) 14 RAND Europe & time-lex Chapter 3 A typology of identity-related crime The abuse of identity-related information represents a complex public policy challenge since it affects both the public and private sectors. It has a range of implications both socially, psychologically and economically. Companies and individuals may be damaged economically by crimes committed through the use or compromise of identity-related information and society at large may be harmed – through, for example, additional costs put in place by those in the public and private sector who rely upon identity information but who must also cover and pass on the costs of risks and misuse to others. This situation is made more complex where a credential designed for one purpose is used for another. For example, in the United States the Social Security Number is used for a variety of public and private identification requirements; in the UK, in the current absence of a national identity card, the driving licence and passport have become the de facto form of identification in public, but crucially also in private scenarios (eg, for the purchase of age-restricted items such as alcohol). Technology, such as the biometric-enabled smart card is further blurring these boundaries.41 And as was noted at the 2007 ISPAC conference, ‘...crimes against any form of identification can affect both [public and private] areas.’42 An additional issue to take into account regards the reality of the identity to be protected against ID theft. Should only the identity of real persons be protected against abuses or are fictitious identities equally deserving of such protection? In the literature it has been said that ‘identity fraud comprises both the use of a real person’s identity (identity theft) as well as that of a fictitious identity’43; furthermore it has been pointed out that identity fraud is broader than identity theft in that identity fraud refers to the fraudulent use of any identity, real or fictitious, while identity theft is ‘limited to the theft of a real person’s identity.’44 This approach of the literature has been followed by the French lawmaker (see below). These positions pose the risk that the sphere of protection of identities becomes too vaguely defined and potentially unlimited. Should, for example, the creation of an avatar or persona for specific online contexts be considered unlawful? In examining this question, the societal value and benefit of pseudonyms should also be appreciated; for example, the use of a fictitious name might allow knowledgeable individuals the freedom to participate in online debates, to a much greater extent than if they would be required to use their own identities. Furthermore, there exist other legal measures to protect existing fictitious identities against abuses, such as copyright when the identity (or in this context, the character or persona) is the product of the creativity of its author. Of course a case-by-case approach is necessary in order to assess the legal or illegal nature of the behaviour of the ID thief: using a completely fictitious identity to spout critical opinions is entirely different from using 41 For example, see the Biometric European Stakeholder Network (BEST) Deliverable 4.1: State of Art of Biometrics in eID Systems. As of 25 January 2011: http://www.best-neu.eu/documents/deliverables.92.html 42 Chryssikos et al. (2008) 43 Lacey & Cuganesan (2004) 44 Gordon et al. (2004) 15 RAND Europe & time-lex Chapter 3 A typology of identity-related crime another person’s name to dishonestly create a semblance of credibility, or inversely to harm that person’s reputation by presenting opinions which are contrary to his real positions. Options for classification and categorisation 3.1 There are various dimensions through which one can categorise identity-related crime. These include: • • • • • Whether the activity is IT-enabled or not Which mechanisms are used to obtain or fabricate identity information What kinds of identity information are targeted What kinds of entities are targeted (individuals, corporations, government agencies, religious or ethnic groups, etc.) To what criminal purposes identity information is used (financial gain, criminal aliasing (ie, causing the wrong person to be arrested for a crime), defamation or character assassination, crimes against persons, infiltration of organisations for espionage, sabotage, terrorism, drug smuggling, money laundering, illegal immigration, etc.). Identity crimes may be crimes in themselves where the identity is the aim and target of offenders. Identity offences may be mere instruments for other crimes, in the way money laundering is a result of other predicate offences. The latter may be the largest category, since identity abuse could be instrumental in the perpetration of tax evasion and fraud, terrorist financing, capital flight, bribery and corruption, etc. Identity crimes are thus facilitative or enabling. A final and even more difficult to identify category has been proposed: a form of identity misconduct characterised as a response to state actions.45 This is where targets or suspects may engage in identity-related misconduct for self-protection or in order to avoid legal or economic sanctions and penalties (for example, appearing on terrorist watch lists). A final approach might be via consideration of who is affected (a stakeholder-centric view). Possible victims could be the identity of the physical person, or the identity of the legal person or organisation, the identity of the government agency or body. There are also two other classes of stakeholder affected, both of whom are important but whose impact cannot be easily determined. One is the financial service providers and credit card companies in whose instruments consumers and other organisations place their trust. The other is broader society itself – as identity misuse becomes more and more endemic, trust in the various public and private systems becomes eroded, resulting in a chilling effect in, for example, willingness to engage in e-commerce or place trust in governments. However, measuring this sort of embedded impact is complex to say the least. Assessing who are the stakeholders concerned and affected by the identity misconduct is relevant in order to determine who is entitled to compensation in a civil action; from the perspective of criminalisation, the issue is less relevant. 45 Chryssikos et al. (2008), p.99 16 RAND Europe & time-lex 3.2 Chapter 3 A typology of identity-related crime Identity-related crime for direct economic gain Perhaps the most compelling driver for this form of criminal activity is for direct economic benefit. A 2007 study for the Centre for Identity Management and Information Protection (CIMIP) provided an analysis of 517 cases of identity theft from the perspective of the offender, which demonstrated the extent to which economic motivation drove identity theft.46 This report presents evidence that out of the 517 cases studied, the motivations linked to economic gain were by far and away the most popular driving factor for undertaking this type of crime. Table 1, below, summarises how these rationales break down out of the total number of cases studied. Table 5 Motive for use of stolen identity documents Motive for use of stolen identity % documents 3.3 Obtain and use credit 45.3 Procure cash 33 Conceal actual identity 22.7 Apply for loan to buy vehicle 20.9 Manufacture and sell fraudulent IDs 7.7 Obtain cellphones and services 4.6 Gain government benefits 3.8 Procure drugs 2.2 Relationship to other major forms of criminal activity The peculiar characteristic of identity theft as a preparatory activity as well as a form of potential criminal activity in itself is complex and leads to other policy complexities. Identity-related crimes thus have a distinct and separate relationship to other criminal activities including fraud, organised crime, cybercrime, money laundering and terrorism. Identity theft has been specifically linked to four other complex forms of crime: organised crime, terrorism, fraud, corruption and money laundering. The distinction of these four types of crime is mostly relevant when examining ID theft from a criminologist point of view, since from the strict legal perspective they can intermix: fraud, for example, can equally be committed in the framework of terrorist or criminal activities. By way of a practical example, if a person steals a credit card owner’s information in order to obtain resources for terrorist purposes, a criminologist might well argue that the fraud falls within the framework of terrorism (since the goal of the fraud is to finance terrorist activities), but legally speaking this person may be prosecuted for fraud (and for terrorism as well). 46 CIMIP (2007) 17 RAND Europe & time-lex Chapter 3 A typology of identity-related crime In relation to organised crime, which has an extensive transnational character, identityrelated crime might only be possible among those groups with the resources and expertise associated with organised crime. Organised criminal gangs might undertake identityrelated crimes in order to protect members from surveillance and carry out international travel. Some countries have reported that this has led to a high degree of specialisation in the market for identity as an illicit commodity: with the exploitation of weaknesses in issuance systems or the production of forged documents to sell onto others for other criminal uses. In this way organised criminal gangs might be said to be growing the black market for illicit identity information. Terrorists might choose to engage in the misuse of identity-related information in order to travel and hide their activities from the authorities. Some of the characteristics of the use of illicit identity information by terrorists and organised criminal groups are closely linked. Terrorist groups may acquire or purchase illicit identities from other criminal groups and may use identity-related crime to fund their operations. The relationship between identity-related crime and fraud is also complex, but pivotal from a legal perspective, due to the fact that a qualification of fraud will be applicable to a large number of ID-related crimes. A substantial amount of identity-related crime is connected to fraud since identity-related crime can be a means of avoiding fraud prevention measures and criminal liability and as a means of deception central to the fraud offence itself. The impersonation of officials of banks and telecommunications providers is a common element of many types of fraud. Other crimes such as credit card fraud may be considered identity fraud because the offender is using a copied or stolen card as a form of identification (impersonating the legitimate card holder). Money laundering crimes also depend on abuses of identity information to avoid or obfuscate measures to counter the activity. There is also an increasing aspect of information technology to these forms of criminal behaviour. ICTs enable money launderers to generate false identification information and thus engage in false transfers that can conceal laundered assets. The effectiveness of money laundering countermeasures are also complicated by ICTs, which bring the opportunities and opaqueness of offshore banking within reach of more and more offenders. Finally, identity-related crime may also be used as a means of avoiding detection or criminal liability in respect to corruption. Looking at the link between these two forms of criminality from the other way around, corruption is often a supporting activity for identity-related crime: corrupt officials in passport offices or working for credit card issuers may be actively or passively subverted in order to provide blanks or genuine documents. This has become ever more important for criminals as more anti-forgery mechanisms are put in place on passports or other similar documents. Identity-related information in databases may also be altered or modified by suborned individuals. 3.4 The means to perpetrate identity-related misuse A bulk of identity crimes are still committed offline and supported by very simple traditional methods such as ‘dumpster diving’ (going through rubbish bins to find personal 18 RAND Europe & time-lex Chapter 3 A typology of identity-related crime data), stealing mail, credentials or credit cards, ‘shoulder surfing’ (looking over someone’s shoulder to observe PIN entry, etc.), and social engineering. Sproule & Archer list the following activities as potentially subsumed under identity theft47: • • • • • • • • • • • • • • • • • • • Hacking Phishing and pharming Corrupt employees involved in transactions or with access to data Theft of documents (wallet or purse, credit cards, etc.) Theft of data storage devices Posing as a landlord or employer to get a victim’s credit report Spyware Wireless intercept Phone and email scams Document breeding Trafficking in personal information Mail interception Mail theft Forgery Counterfeiting Insider access Search for public records Dumpster diving Skimming. FIDIS lists different ways of manipulating authentication procedures, the first few (1–4) of which focus on the link between the person and the identification data. The subsequent three (5–7) focus directly on the reference data, and the remaining (8–10) deal with attacks on the middleman48: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Worms (eg, installing a key logger) Social engineering Trojan Horses, key loggers, etc., sent via email attachment Spoofing of sensors Readout of person-related identifiers, authorization and reference data Manipulation of reference data concerning a person Phishing Identity theft by readout of automatic data not securely communicated by the user Replay attacks Identity theft by redirecting communications to a manipulated web site. 47 Sproule & Archer (2007) 48 FIDIS (2006) 19 RAND Europe & time-lex Chapter 3 A typology of identity-related crime The OECD distinguishes between traditional and online ways to gain access to identity information. Traditional ways to access personal data for ID theft are described in Box 1, while the online methods for stealing personal information are described in Box 2.49 This list does not take into account the whole set of (initially) lawful ways in which one could gain knowledge of information later on used for an identity-related crime. These might be searching public records, finding a lost object like a wallet that contains identifying information, or having been given the information by the later victim of the identity-related crime for a different purpose. Box 1 Traditional ways to access personal data for ID theft50 49 OECD (2008) 50 OECD (2008) 20 RAND Europe & time-lex Chapter 3 A typology of identity-related crime Box 2 Online methods for stealing personal information51 Furthermore the OECD groups phishing into three different subgroups52: Box 3 Grouping of phishing techniques Pharming: this method, which uses the same kind of spoofed identifiers as in a classic phishing attack, redirects users from an authentic website (eg, a bank website) to a fraudulent site that replicates the original. When the customer connects its computer to its bank web server, a hostname lookup is performed to translate the bank’s domain name (eg, ‘bank.com’) into an IP address. During that process, the IP address will be changed SmiShing: cellphone users receive text messages (‘SMS’) where a company confirms their signing up for one of its dating services, for example, and that they will be charged a certain amount per day unless they cancel their order at the company’s website. The website is in fact compromised and used to steal personal information Vishing: in a classic spoofed email, appearing from legitimate businesses or institutions, the phisher invites the recipient to call a telephone number. When calling, the target reaches an automated attendant, requesting personal data such as account number, or password for pretended ‘security verification’ purposes. Victims usually feel safer in this way as they are not required to go to a website to transmit their personal information Box 4, below, lists the common ways to obtain a false identity, as described by a discussion paper on identity theft by the European Union’s Joint Research53: 51 OECD (2008) 52 OECD (2008) 53 Mitchison et al. (2004) 21 RAND Europe & time-lex Chapter 3 A typology of identity-related crime Box 4 Methods to obtain a false identity He steals wallets and purses containing identification information for the victim, along with credit and bank cards He steals details of the victim from a computer (that belonging to the victim, or to a vendor or supplier), with whom transactions have been carried out He steals the victim’s mail, including bank and credit card statements, pre-approved credit offers, new chequebooks and tax information He completes a ‘change of address form’ to divert the victim’s mail to a location under the rogue’s control He finds personal information in the victim’s home – for example, during a burglary He rummages through the waste-paper baskets at the victim’s home, garage, ATM machine or bank He hacks into e-commerce, bank or business computer servers for client information and details He fraudulently obtains the victim’s credit report by posing as a landlord, employer or potential employer He uses personal information the victim has made available on web pages or in chat rooms He contacts the victim, often through email, by posing as legitimate companies or government agencies with which he does business, or as companies from which he has won a prize He gets information by stealing files – physically or electronically – from offices where the victim is a customer, student, employee or patient He bribes or corrupts an employee who has legitimate access to the victim’s files He places a person in an organization to work for him, for example, in a bank, post office, billing company or credit company He acquires the information by trading with other rogues The UK Home Office report ‘The Future of Netcrime Now’ also cited the threat of identity theft against eGovernment services and other types of identity theft and related crime specific to the online environment, as shown in Box 5 below54: Box 5 Types of identity theft and related crimes Unauthorized copying of credit card information, obtained via various means (system penetration, data tap using wireless networks or a pass-through site) Corruption of legitimate websites by modifying pages or DNS redirection, fooling users to enter credit card details on a fake webpage Unauthorized copying of personal information and credit card details by a covertly installed key logger application at third party terminals (eg, cybercafe, library, college), to achieve online authentication and purchase of goods/services Identification systems (eg, smart cards): illegally produced and false documentation used Fraud against online government services (VAT, Income Tax, Tax Credits, DTI licensing) via various techniques (hijacking corporate or individual identities) General fraud (false document production): online data mining (chat rooms, newsgroups, databases, questionable credit reference agencies) to produce false documentation (passports, 'smart' ID cards, medical records) E-commerce fraud (database hacking): unauthorized system access to government and corporate databases, enabling theft of personal information (targeting of individuals of high net worth or specific employees) E-commerce: online data mining (chat rooms, newsgroups, databases, questionable credit reference agencies) Domestic device account access: the accessing of domestic digital devices (eg, set top boxes) through various means to access and copy personal account information The EU Fraud Prevention Expert Group’s ‘Report on Identity Theft/Fraud’55 which focuses on the misuse of personal data to abuse banking/financial services, lists the following ways criminals gain access to information in the real world: 1) dumpster diving and bin raiding; 2) mail theft; 3) insider sources; 4) imposters; 5) theft; and 6) purse/wallet theft. For the online branch of identity theft they point out the weaknesses along the chain of involved stakeholders: 54 Morris (2004), p.14 55 Fraud Prevention Expert Group (FPEG) (2007) 22 RAND Europe & time-lex Chapter 3 A typology of identity-related crime Table 6 Chain of weaknesses grouped by stakeholders involved56 The Liberty Alliance Project, a global consortium of open federated identity standards and identity web-based services, with more than 150 stakeholders from areas such as the banking sector, telecommunication providers and government agencies, has grouped the types of attacks to obtain individual or multiple identities as shown in Table 7 and Table 8 respectively.57 Table 7 Types of attacks to obtain individual identity data Type Attack Description Technical Trojan/keystroke logger Spyware/Malware placed via hacking, as payload in a virus or worm, or from websites Wireless interception Wardriving, open access points, airsnarfing. ‘Evil Twin’ attack Pharming DNS spoofing, DNS cache poisoning, proxy attacks Scrape website Gather personal data from websites, web searches to use as verifiers Sniffing Collect targeted network packets Theft Stolen laptops, purses/wallets, mail Shoulder surfing Direct observation of personal information Dumpster diving Gather discarded documents, hardware (disks) Trusted insider Identity information misused by individuals with access Phishing Luring individuals to reveal confidential data Physical Social 56 Fraud Prevention Expert Group (FPEG) (2007) 57 Liberty Alliance Project (2005) 23 RAND Europe & time-lex engineering Chapter 3 A typology of identity-related crime Family members Identity data misused by family members Legal sources of identity Obtain identity data from credit bureaus, government agencies fraudulently 419 scams Obtain money and/or account information Trusted insiders Gain identity information from service providers (doctors, dentists, lawyers, etc.) Table 8 Types of attacks to obtain data for multiple identities Type Attack Description Technical Hacking Gain privileged access to machines for further attacks and/or data harvesting Data attacks SQL Injection, XSS Database attacks Login attacks, inference attacks, SQL scanners Password cracking Acquire admin password to servers Theft or loss Backup data, tapes, disks, laptops, etc Breach firewall(s) Connect to internal network(s) Dumpster diving Obtain discarded documents, disks, systems, etc. Gain access To computer rooms, wiring closets, switches, routers Trusted insider DBAs, employees, contractors, individuals w/access Phone requests Gain confidential information to facilitate hacking Physical Social engineering As can be seen, there are varying identifications and interpretations of and identification of the different types of ways in which identities might be misused. As is obvious from the tables above, these myriad methods of committing identity theft or identity-related fraud may be combined in any one criminal activity, presenting a wide range of legal and criminal justice challenges. 24 CHAPTER 4 The consequences of identity-related crime In this chapter we discuss the consequences of identity-related crime including direct consequences for the individual and different types of stakeholder (eg, businesses and governments). Also, we briefly describe the importance of understanding longer-term indirect consequences, including the loss of trust which may occur as a result of the abuse of identity infrastructures, and the increased costs which may be passed onto consumers and citizens as a result of public and private sector organisations having to invest more in security, identity and authentication infrastructures. Different stakeholders are concerned about different aspects and impacts of identity crimes (for example, industry might be concerned about a potential reduction of trust and confidence in e-commerce and the limitation that this puts on potential revenues; banks might be concerned about criminals defaulting on credit obtained under a fictitious identity). Measuring the problem is difficult for several reasons, including the lack of a consistent definition and therefore of comparable data, the fact that victims often do not find out immediately about identity crime, and that the consequences of identity crime are also hard to quantify. Globally comparable and comprehensive statistics on identity theft are not available but some countries like the UK, USA, Canada and Australia provide some insights into the prevalence and costs of identity theft. The impacts of identity-related crime may be split into those that are either direct or indirect. Direct impacts at the individual level include costs to victims, either where false identities are used to commit crimes such as fraud or in a more complex fashion, where, for example, the victim is falsely imprisoned by the use of his identity information in the perpetration of another form of crime (eg, terrorism) and is thus deprived of other socioeconomic opportunities. Indirect impacts are much harder to quantify and may include the preventative measures that governments and the private sector need to take to manage the risks of this type of fraud (which get passed back to the citizen or consumer either through more inefficiencies in the public sector or potentially higher prices for goods and services in the private sector). Other indirect impacts include those associated with the displacement of criminal activity away from those physical documents which have very sophisticated functions and anti-fraud measures toward more vulnerable targets. Finally there may be other more difficult to ascribe indirect impacts: for example the economic or human costs from terrorist attacks facilitated by identity fraud, or the loss of trust and confidence in those identity infrastructures which have been abused by criminals. 25 RAND Europe & time-lex Chapter 4 The consequences of identity-related crime There are also more subtle implications for democratic participation, such as the reduction in trust and confidence in e-government and consequently the risk of decreasing participation in the usage of such tools. 4.1 The economic costs of identity theft and identity fraud In terms of the consequences of identity-related crimes, estimates vary but there is most data for the US, Canada, Australia and the UK. One estimate from the US indicates that identity theft damage for 2009 was US$48 billion.58 A 2007 McAfee White Paper on Identity Theft (2007) estimates the cost of identity theft to the Australian economy ranging annually between US$1 billion (according to the Securities Industry Research Center of Asia-Pacific) and US$3 billion (according to the Commonwealth Attorney-General’s Department).59 Their Australian Bureau of Statistics (ABS) reported that 124,000 persons in Australia became victims of identity fraud in the 12-month period preceding the ABS survey on personal fraud conducted in 2007.60 CIFAS, the UK’s Fraud Prevention Service, found recently that for ‘identity fraud (the use of a stolen or false identity to obtain goods or services by deception) […] increase has continued; up 32 percent in 2009 from the level recorded in 2008.’ CIFAS links this increase to the recession. Furthermore the numbers show that more than 85,000 people have been victims of impersonation, and a total of 102,000 people have been victims of identity fraud (see Table 9). This equals an increases of 35 percent, and 32 percent respectively compared to the 2008 numbers.61 Table 9 CIFAS identity-related fraud statistics for 2008 and 2009 Fraud type Jan to Dec 2008 Jan to Dec 2009 % Change Identity fraud – granted 34,011 57,383 +68.72 Identity fraud – not granted 43,631 44,944 +3.01 Identity fraud – total 77,642 102,327 +31.79 Victims of Impersonation 62,957 85,402 +35.65 Identity fraud cases include cases of false identity and identity theft The latest official estimate of the costs of identity fraud to the UK economy (covering the period 1 April 2006 – 31 March 2007) adds up to £1.2 billion (around £25 for every adult in Britain). The methodology was developed by the Identity Fraud Steering Committee and economists from the Home Office. Different to earlier studies, this methodology takes into account both the financial loss to organizations and costs incurred for the adoption of 58 Javelin (2009) 59 Cited in OECD (2009) p.37 60 61 Australian Bureau of Statistics (2008) CIFAS (2010) 26 RAND Europe & time-lex Chapter 4 The consequences of identity-related crime systems to identify, prevent, deter and prosecute cases of identity fraud. For a breakdown of the costs see Table 10, below: Table 10 Estimated cost of identity fraud in the UK from 1 April 2006 to 31 March 200762 Organisation / Industry / Sector Cost of identity fraud APACS - the UK payments association £201.2m Association of British Insurers £31m Audit Commission British Cheque Cashers Association £0.4m £36m Notes Figures include the actual losses associated with Card ID theft, namely account takeover and third party application fraud. It also includes an estimate of the costs associated with the prevention, detection and investigation of identity related crime as specified in the methodology adopted by the Home Office for this exercise. As the banks’ fraud prevention and detection systems, the investigation processes and the supporting resource do not solely focus in isolation on identity fraud related crime, these figures can only be regarded as indicative.NOTE: There is potential for overlap with figures reported by CIFAS. APACS and CIFAS have liaised to guard against double counting. The cost of internal fraud through re-opening closed claims, dormant accounts and paying claims for personal gain. Also includes account takeover of life policies and cashing joint life policies (estranged spouses). Represents losses from public sector occupational pension schemes due to, for example, next of kin continuing to claim pension payments following the death of a relative. Estimated direct financial loss and cost of prevention, detection, reporting in relation to cashing of cheques by someone other than the payee. CIFAS - The UK's Fraud Prevention Service £23.5m Criminal Justice System Driver and Vehicle Licensing Agency £50m CIFAS member organisations share information about identified frauds (e.g. application fraud, first party and identity fraud) in the fight to prevent further fraud. Figures relate to costs associated with preventing fraud and actual losses through identity fraud. Typical losses reported by CIFAS members include purchases using credit cards obtained by using false identities and the value of an asset (e.g. a vehicle) purchased from a dealer using finance in a false or stolen identity. NOTE: There is potential for overlap with figures reported by APACS. CIFAS and APACS have liaised to guard against double counting. Criminal Justice System costs are an estimate of the total police investigation, prosecution, court and disposal costs for cases of identity fraud. £5.3m Cost of detecting and investigating applications for driving licences using false identities. Department for Innovation, Universities and Skills (Student Loans) £8.4m Costs relate to setting up systems to investigate fraudulent claims and early estimate of identified losses from student loans obtained using false identities. Driving Standards Agency £1.7m Cost of detecting and investigating identity fraud in the driving test process. Home Office Customs £284.4m £47.2m Home Office costs relate to the work of its agencies in safeguarding and validating the identities of its customers, as well as costs around deterrence, prevention and investigation of identity fraud.The majority of the costs (£227.8m) relate to the operating costs for Identity and Passport Service in carrying out identity checks, investigating suspected identity fraud cases, implementing systems and processes to detect and prevent fraudulent applications of passports, including costs relating to the introduction of face to face interviews for all adult first time applicants for a UK passport. Other costs relate to the work of the Border and Immigration Agency (now UK Border Agency) around operating a dedicated National Document Fraud Unit, deterrence, prevention and investigation of illegal working. Costs have also been included for UK Visas work on prevention of identity fraud. Cost of prevention, detection, investigation and direct financial loss due to ID tax credit fraud. Ministry of Justice Telecommunications UK Fraud Forum £35.8m 4.2 £485m Cost relates to unpaid fines due to no trace of identity or address. This can be due to a number of reasons such as false or innacurate information being provided and offenders not attending court to verify their details. Estimated cost of obtaining goods and services such as mobile phones, premium rate services, long distance telephone calls through fraudulent applications using false identity details. Personal impact A report by Javelin estimated that the amount of time it takes for an identity theft victim to rectify problems stemming from identity-related crime ranges from 30 to 40 hours per person. In 2003 the US Federal Trade Commission estimated that the average costs to the individual were US$4,800. The US Department of Justice in 2005 reported that its analysis of the average loss per household was US$1,620. Interestingly, in 2009 Javelin indicated that the mean loss per individual (in the US) was $500, which may be indicative of the success of efforts in the US to address the problem.63 As with the overall impacts of this form of criminality, there may be direct and indirect impacts for the individual. The Australasian Centre for Policing Research, in its review of 62 Source: www.identitytheft.org.uk 63 Javelin (2009) 27 RAND Europe & time-lex Chapter 4 The consequences of identity-related crime the legal status and rights of victims of identity theft in Australasia, indicated that the following three types of impact exist64: • • • 64 Direct financial impacts: loss of savings, cost of reporting and preventing the continued used of the identity and the cost of restoring reputation (eg, communications to financial institutions, credit scoring agencies and so on) Indirect financial impacts: damage to credit rating, damage to personal and business reputation and the creation of a criminal record associated with the fraudulent use of identity Psychological impacts: determined by how the stolen identity is used. Depending on the severity of the resultant crime, these may range from stress or trauma caused by or to one or more family members in respect of the use of that person’s identity to the impact of knowledge of the use of that identity for the resultant crime (eg, fraud, people smuggling, terrorism, etc.). Cited in Chryssikos et al. (2008), p.181 28 CHAPTER 5 Responses and mitigation: criminalisation and identity assurance In this chapter we present an overview of approaches for mitigation of the types of identity theft and misuse presented earlier. These approaches may be broadly categorised into either criminalisation (whereby new or existing legal and non-legal approaches are used to address the problem) or what might be termed ‘identity assurance’65 which is concerned with strengthening identity and authentication infrastructures in order to lessen their vulnerability. Although a small number of states such as France, the United States, Australia and Canada have enacted specific fraud or identity theft legislation, most domestic laws and policies focus upon addressing identity-related crimes through the prism of the types of further criminal activities that may be committed through abuse of identity. There are challenges to effectively dealing with identity-related crime, however. A report by the Council of Europe argues that a number of factors serve to complicate the fight against identity theft66: • • • Vulnerabilities in the identity infrastructure, most notably where a unique identifier (eg, a registration number) has been developed for one specific purpose and is subsequently used for another, broader purpose without corresponding improvements in the supporting infrastructure The availability and ubiquity of identity-related information (especially in digital form and/or made available online). This includes broadly available personal information on social networking sites but also the increasingly popular use of digital identity information and its linking by the public and private sectors (an example of which is behavioural advertising: where disparate snippets of identityrelated data are linked, combined and interrogated to build up a picture of an individual) Missing identity verification procedures – the complexity of transferring identity verification procedures to a digitised world has meant that they are often poor or absent, again presenting challenges for addressing identity-related crime 65 IAAC (2009) 66 Gercke (2007) 29 RAND Europe & time-lex • Chapter 5: Responses and mitigation: criminalisation and identity assurance Investigative difficulties – there are a number of challenges reflecting investigative difficulties including the number of victims, the availability of easy tools to perpetrate offences, the international and cross-border dimension, and finally the opportunities that automation presents (eg, in the link between spamming, botnets, phishing emails and unsecured home networks). How to approach criminalisation? 5.1 The 2007 UN ISPAC conference suggested the following rights and interests which may need to be protected by criminal law ought to be taken into account when considering the utility of offences and other criminal justice measures as avenues to address identity theft and identity-related fraud67: • • • • • • • • 5.2 The interests of the individuals whose identity is taken, copied, altered or misused The extent to which relevant rights exist and are affected by the abuses, including privacy rights, intellectual property rights (eg, corporate identity) and the right to have an identity The needs to protect the integrity of the various models of the identity infrastructure, including national identity systems, subject specific identity systems (eg, passport systems) and relevant private sector identity systems Within the scope of each identity infrastructure, what specific document and information should be protected Whether the criminalisation of specific abuses per se is necessary or justified to prevent or suppress secondary crimes such as fraud, money laundering, terrorism, or the smuggling of migrants or trafficking of persons Whether criminalisation is needed or justified on national security grounds Which specific forms of conduct should be criminalised and how offence provisions should be framed (eg, in respect of conduct such as acquiring, taking or copying, falsifying, possessing, transferring or trafficking in identity information or documents or the subsequent illicit use of identity documents or information in other offences) At a general level, how the scope of identity offences would fit within the existing criminal law of each state, bearing in mind the need to avoid gaps. Prevention Whilst criminalisation is clearly one approach to addressing the problem (in so far as it can act as a deterrent and can remove the perpetrators from society) ex post, there is an argument that prevention is more cost effective and ultimately a more useful avenue to address this form of misuse. This was highlighted by McNulty, who noted that in addressing the complex challenge of identity theft and fraud, prevention is better than cure.68 67 Chryssikos et al. (2008) 68 Chryssikos et al. (2008), p.93 30 RAND Europe & time-lex Chapter 5: Responses and mitigation: criminalisation and identity assurance Two different forms of prevention were cited in the response to the UN ISPAC conference as key areas to be addressed. These were strategic and situational (or operational) prevention. Strategic prevention referred to the need to develop and implement infrastructures that are resistant to crime; situational prevention referred to the rapid identification of ongoing schemes or activity in order to generate criminal investigations and countermeasures to mitigate or reduce the damage. Examples of strategic prevention include technical measures against the forgery and counterfeiting of physical identity documents, the use of photographs (and increasingly digitised identity information such as electronic biometric data), review of the limits of validity of documents, and measures to protect the validity of the process of creating identity and issuing documents. The verification process also needs to be protected in respect of the uses of identity documentation and its links to the identity infrastructure. Clearly protections such as biometrics and multiple factor authentication may help support the protection of the verification process. One of the prime situational or operational preventative measures is training and awareness for individuals in how to respond when this kind of abuse is detected. Other examples of situational prevention may be found in the Information Management Strategy of the EU’s Stockholm Programme, which seeks to set out a framework and associated systems for sharing of information to support police and judicial cooperation across Europe (for example, in respect of a European Information Exchange Model, improving information flow between the Member States and Europol and establishing improvements to operational police cooperation). 5.3 Relevant supranational legislative norms There are a handful of international legal instruments or norms which may also be effective and relevant, serving as regional or global frameworks through which public and private stakeholders may coordinate their efforts to combat ID theft. At the European level these include the EU Data Protection Directive 95/46/EC, which contains legal requirements to protect against the unlawful use of personal data, including the possibility of initiating appropriate legal actions in case of violations of its rules. Other relevant EU-wide legal frameworks (such as the recently passed revisions to the Telecommunications Privacy Directive 2002/58) may also be of indirect relevance. The provisions regarding the notification of breaches to data subjects, for example, may allow them to see if they are at increased risk of being a victim of identity theft. The 2005 Council Framework Decision on Attacks Against Information Systems also represents a relevant instrument with which to address this form of criminality, as it defines a number of ICT-related crimes that may also apply to specific instances of ID theft. This Framework Decision follows the example of the similar Council of Europe Cybercrime Convention. This convention is the only international legally binding instrument which provides a set of guidelines or framework for countries intending to develop comprehensive national legislation against cybercrime (including offences relating to online aspects of identity theft such as phishing). Within the international sphere, another relevant supranational convention is the United Nations Convention Against Transnational Organized Crime (Palmero Convention, 2000). This convention sets a global bar for what may be considered as ‘serious crime’ and 31 RAND Europe & time-lex Chapter 5: Responses and mitigation: criminalisation and identity assurance to some extent lays down requirements for signatories to set out minimum sanctions for the twelve different sorts of activity classed as organised crime. The utility of using this instrument to tackle identity theft in respect of trafficking of persons was raised during its negotiations in 1999–2000 (in the context of identity-related crime as it relates to immigration). Similarly, the UN Convention on Corruption, which came into force on 14 December 2005, addressed some of the issues pertaining to identity theft by means of corruption. The convention originated from the General Assembly resolution 55/61 of December 2000 which recognised that independently of the UN Convention Against Transnational Organized Crime an international legal instrument should be adopted to tackle corruption. The international community recognised that corruption is a ‘complex social and economic phenomenon that affects all countries’ and transcends various forms of crime including identity fraud.69 Given the potential links between corruption and ID theft, this source may be relevant when tackling the issue of misuses of identity. 5.4 Public-private international collaboration The Phishing Enforcement campaign may be seen as a salutary example of the need for international collaboration. In 2005 there were 121 civil lawsuits filed and 53 legal actions announced on 20 March, including 10 arrests in France, 7 in Spain, 4 in the UK, Germany and Morocco, 1 in Austria, Sweden and Egypt and 20 in Turkey. The Global Phishing Enforcement Initiative (GPEI) launched by Microsoft in March 2006 reported 3,500 take down notices issued since 2003. Other international cooperative activities included the arrest of 8 individuals in Bulgaria in 2006 as a result of an international investigation which involved Microsoft under the GPEI. In the Stockholm Programme, the European Commission was invited to take measures to enhance and improve such public-private partnerships. 5.5 The European policy response Europol’s European Union Organised Crime Report for 2003 acknowledged that the incidence of identity theft and credit card fraud had continued to grow in the EU. Since then, there has been a degree of convergence between efforts to address the security of the financial systems and to address credit card fraud and identity theft. In the 2004 Action Plan on payment fraud prevention, identity theft was highlighted as a growing issue and the need to strengthen business and consumer confidence in the use of non-cash means of payment (particularly face to face) was also noted. Also, in 2004, a workshop on identity theft was held under the EU Forum for the Prevention of Organised Crime. In 2006 a conference on identity theft was hosted by the European Commission which identified a number of follow up actions relating to: the need for a common definition of identity theft in the EU; the need for new EU criminal legislation; the usefulness of tackling identity theft at EU level, notably by intensifying public-private cooperation; the 69 As of 25 January 2011: http://www.unodc.org/unodc/en/corruption 32 RAND Europe & time-lex Chapter 5: Responses and mitigation: criminalisation and identity assurance need for more statistics; the need to strengthen investigations and prosecution by law enforcement; the desirability of a coordinated effort to raise awareness; the need to improve or facilitate reporting by victims; and the need to assistt the p private sector in the verification of identity documents. The synergies between prevention of payment fraud and identity theft were recognised at this meeting, most notably in respect of the complexity of data to measure the effectiveness of responses, the need for cross-border collaboration (since this is essentially a cross-border problem) and intergovernmental cooperation, and finally in respect of the ‘messy’ nature of this policy challenge (crossing as it does the boundary between public and private sectors). Increased attention to the question of payment fraud was also brought about by A New EU Action Plan 2004–2007 to Prevent Fraud on Non-Cash Means of Payments (COM(2004) 679 final), which aimed to establish a coherent pan-European approach to fraud prevention. In 2007, the Communication From the Commission to the European Parliament, the Council and the Committee of the Regions Towards a General Policy on the Fight Against Cyber Crime (COM(2007) 267) expressed regret that identity theft was not yet criminalised in all EU Member States and proposed that EU law enforcement cooperation would be better served were identity theft criminalised in all Member States. The conclusions of a study commissioned by the Portuguese Presidency in 2009 after a European conference on ‘Identity Fraud and Theft: The Logistics for Organised Crime’ in 2007 also reinforced this; however, it did not go so far as to propose criminalisation in all Member States. Rather this study recommended that it was necessary to: Agree on a joint uniform definition of the term identity fraud as well as a joint uniform approach toward a common legal framework for identity fraud punishment70 A second important development is in respect of the focus of EU policymaking on cybercrime. Although identity theft does not only occur online, addressing the Internetenabled instances of this form of criminal activity present immediate, tractable and ‘low hanging fruit’ results in terms of policy impact. The Framework Decision on Attacks Against Information Systems and the Council of Europe Convention on Cybercrime (Budapest Convention) are perhaps the two most important legal instruments in this regard. The conclusions of the European Council on the Action Plan to Implement the Concerted Strategy to Combat Cyber-Crime on 26 April 2010 also note financial cybercrime and online fraud as specific topics likely to require the attention of a single centre which would carry out a variety of tasks aimed at implementing the cybercrime strategy.71 This would consolidate and expand upon the functions assigned to Europol’s European Cybercrime Platform (ECCP) ‘in order to facilitate the collection, exchange and analysis of information’. On a more operational level, the High Tech Crime Centre of Europol has also remained an active stakeholder in supporting investigation and ongoing operational activities. 70 Knopjes (2009) 71 Council Conclusions on an Action Plan to Implement the Concerted Strategy to Combat Cybercrime; 26 April 2010 http://www.consilium.europa.eu/uedocs/cms_data/docs/pressdata/en/jha/114028.pdf 33 RAND Europe & time-lex Chapter 5: Responses and mitigation: criminalisation and identity assurance Following on from the Council Conclusions of April 2010, in June of the same year, Europol’s Cybercrime Task Force72 was created with a remit to consider operational and strategic issues on cybercrime investigations, prosecution and cross-border cooperation in the fight against cybercrime. The aforementioned ECCP formed part of this Task Force, which also included the Internet Crime Reporting Online System (ICROS), the Analysis Work File Cyborg (aimed at fighting criminal groups operating on the Internet), and other initiatives aimed at supporting law enforcement activities. This platform was regarded as a first step toward a more consistent and effective approach to fighting Internet criminality at the EU level. The ECCP originated from a proposal by the French Presidency in 2008 for Europol to coordinate a European response to Internetrelated crime by creating a means to report offences noted on the Internet. The Presidency also invited Europol to develop a common and coordinated strategy to fight Internetrelated crimes on an international level. Aside from this focus on the economic drivers and consequences of identity theft and its treatment primarily as an economic phenomenon, there is now increasing policy interest in understanding and addressing identity theft and fraud as a form of criminal activity in the context of other freedom and security issues, such as the fight against terrorism or illegal immigration. The 2009 Stockholm Programme contained a wide ranging set of priorities for policy in the area of justice, freedom and security of direct or indirect relevance to identity theft and fraud. As well as specific mention of the need for a pan-European reporting mechanism for identity theft, the Stockholm Programme also indicated how the growing use of personal data presents opportunities and threats to freedom, security and justice for all. Numerous actions were identified in areas relating to fraud, immigration and corruption (forms of criminal behaviour that might be facilitated by identity theft or identity-related fraud), as well as details on actions to address identity-related infrastructures (in terms of reducing opportunities for exploitation by implementing more responsible uses of personal data and greater adherence of globally accepted data protection principles). The Stockholm Programme and its associated Action Plan also highlights the need for an examination of whether sufficient approximation exists between Member States regarding certain forms of crime as identified in Framework Decisions (most notably of relevance, on computer crime) and whether new legislation is required. Finally, returning to the question of whether prevention is better than cure, the existing focus on reform of the EU legal framework governing the use of personal data presents another opportunity for progress in security identity infrastructures and putting into place another important preventative aspect of the fight against identity theft. In its Communication to the European Parliament and the Council of June 2009, the European Commission noted that various technological drivers were having a major effect upon the use of personal data, reinforcing the need for a comprehensive and effective legal framework to address these new challenges (implicit in this is not only the non-criminal misuse of personal data but also the fact that ineffective adherence to the legal framework creates opportunities for individuals to exploit insecure data stores and to steal or obtain personal data). 72 As of 25 January 2011 http://www.europol.europa.eu/index.asp?page=news&news=pr100622.htm 34 RAND Europe & time-lex Chapter 5: Responses and mitigation: criminalisation and identity assurance National responses 5.6 Moving to the national sphere, it is clear that states adopt differing approaches to address the problem of identity theft and identity-related crime. Most experts agree, however, that the solution must combine both legislative and non-legislative approaches, across both the public and private sectors (since this is a policy issue covering both). 5.6.1 Legislation There are a variety of types of legislative instrument that may be developed, drafted or used to address the types of misuse described previously. These include (see the analysis of the country reports below for further details): • Identity theft legislation (such as in Canada, France or the United States) that specifically criminalises varying types of misuse • Legislation with regard to the protection of personal data (including regulations that govern the circumstances under which personal data can be collected and for which it might be processed, and security breach notification laws73) • Legislation and regulations relating to identity documents and numbers (such as national identity cards or social security numbers) that governs the existence, use and forgery of specific identity tokens or credentials • General penal provisions with respect to fraud, forgery and usurpation of titles (providing these provisions are phrased sufficiently broadly they may be useful and appropriate for sanctioning even high-tech instances of identity theft), which may have been amended as a result of international harmonisation initiatives in the field of high-tech crime (eg, the Council of Europe Convention on Cybercrime) • Regulations specific to a particular sector (eg, aimed at fighting organised crime or terrorism). Generally such legislation provides an indication of the success of the track record of operational efforts to address this problem • Non-criminal regulations (administrative infractions, civil suits and torts, which may result in non-criminal fines and/or the awarding of damages to victims) might be available and should be taken into account. The abovementioned instruments may be combined in practice, and their application does not exclude other remedies. To give a concrete example, even when general or specific criminal provisions are applicable, civil compensation or tort is not excluded. 5.6.2 Non-legal responses As stated before, legislation of whatever type can only go so far in addressing identity theft and identity-related fraud. Other ‘softer’ solutions are also necessary, including the use of public-private partnerships (which permit stakeholders from both sides to come together and discuss issues in a collaborative manner), hotlines and reporting centres (both public and internal such as those from law enforcement to specialised centres), the collection of 73 Romanosky et al. (2008) 35 RAND Europe & time-lex Chapter 5: Responses and mitigation: criminalisation and identity assurance statistics (which permits an evaluation of the effectiveness of measures), user awareness and reporting mechanisms (to again support strategic prevention ex ante), non-binding forms of monetary compensation (eg, via alternative dispute resolution schemes such as those in Canada or retail orientated systems like square trade), and finally technology to improve the security of identity infrastructures at all points of the identity assurance chain. 36 CHAPTER 6 Conclusions In the chapters above, we have presented an overview of the literature relating to the phenomenon of identity theft and identity-related crime. We have shown that the properties of identity make it difficult to classify types of misuse as theft, since identity has non-rivalrous properties: when a person decides to (mis)use aspects of a victim’s identity, this does not inherently rob the victim of those features, although he or she may very well suffer negative consequences as a result. In economic terms, ‘identity’ as a concept is not fully subject to unambiguous ownership. It generally cannot be freely traded or forcibly taken, as its abstract nature and strong inherent link to an individual make it unsuitable to a qualification as a type of property which can be appropriated by a third party. For this reason, the notion of identity ‘theft’ is slightly misleading: the types of incidents often qualified as identity theft (including the examples above) generally would not be covered by traditional criminal provisions in relation to theft. Leaving aside these legal and philosophical questions on the nature of identity and its possible ownership, other important terminology issues arise. If the term ‘identity theft’ indeed does not require anything to be ‘taken away’ in the strictest sense, then should the concept instead capture all the forms of misuse associated with identity-related information? If so, then would a broader nomenclature of ‘identity-related crime’ be more appropriate than the more restrictive ‘identity theft’? Identity theft may, in the case of an illegal identity information ecosystem (e.g. the production and sale of fake passports), be a pure form of misuse, the results of which are then offered to others as a criminal service. More commonly, however, identity theft is a preparatory act intended to facilitate other crimes. These other crimes are most often motivated by financial or economic gain and usually take the form of various types of fraud. In attempting to categorise identity-related crime, there are a number of dimensions which may be relevant, including: the role of information technology in the commission of the activity, the mechanisms used to obtain or fabricate identity information; the types of identity information and stakeholder targeted; and the end criminal use that identity information is put to (for example, defamation or character assassination, crimes against persons, medical malfeasance, infiltration of organisations for espionage, sabotage, terrorism, drug smuggling, money laundering, illegal immigration, etc.). Furthermore, identity-related misuse/crime can be categorised according to its purpose (related to, but different from consideration as to whether it is fraud or a separate distinct form of criminality as described above). 37 RAND Europe & time-lex Chapter 6: Conclusions In any respect, the most popular motives for the use of stolen identity documents are financial, and include obtaining and using credit, procuring cash and fraudulent loan applications. Identity theft may also be perpetrated as a means for terrorists to hide themselves and their activities from the authorities, to aid in people smuggling, and as part of the complex web of activities associated with illegal immigration, money laundering and various types of fraud. Looking at the specific means to perpetrate identity theft and related forms of misuse, there are a broad range of methods identified, spanning a spectrum from suborning corrupt officials to the physical theft of blank identity documents, to means that use information technology including phishing (sending emails asking customers to submit their information to websites purporting to represent their bank or financial institution) or skimming (taking personal or identifiable data from the magnetic stripes on credit cards when used at ATMs). Dumpster diving (going through refuse or rubbish trying to find identity-related information) is another popular method to perpetrate identity theft, as is shoulder surfing (watching over someone’s shoulder in order to observe and record a PIN number). In terms of the consequences of identity-related crimes, estimates vary but there is most data for the US, Canada, Australia and the UK. For example, according to the last data available in the UK, the yearly costs relating to identity theft were estimated at £1.2bn. In Australia estimates vary between US$1 billion and US$3 billion. By comparison, one estimate from the US indicates that identity theft damage for 2009 was US$54 billion. The consequences are varied and not only include direct economic damage to the individual (for example, in terms of direct financial loss due to theft) but also indirect damage (for example, loss of reputation caused by being mistakenly identified as the perpetrator of another crime). There are also more indirect socio-economic consequences too, including loss of trust in the identity infrastructures that have been breached and the indirect costs that credit card companies end up passing onto the consumer as a result of the additional security measures they put in place as part of their identity and authentication infrastructures. In terms of policy responses, there is wide agreement that a combination of legislation and non-legislative measures are necessary. There is also a recognition that prevention is better than cure and that while ex post criminalisation may have its place (as a deterrent and punishment), policy focus on strategic and operational prevention is equally if not more important. Such means might include hotlines and reporting centres, awareness raising activities and one-stop shops. Finally, the collection of statistics was also viewed as important (and again this touches upon the definitional question as to how to frame understanding of what data to collect). The cross-border nature of these forms of criminality also requires coordinated action by national governments. Supranational instruments, initiatives and measures have a role to play in this respect, either via international conventions (such as the Convention on Cybercrime, the UN Convention on Corruption or the EU Framework Decision on Attacks Against Information Systems) or via industry platforms (for example, the AntiPhishing Working Group) or in the case of European Union, concerted action through task forces, platforms and action plans. 38 RAND Europe & time-lex Chapter 6: Conclusions Nonetheless, at the European level, a first step will be to understand how identity theft and identity-related misuse is treated at the national level both by legislative and non-legislative approaches. This will then inform consideration of where policy efforts may be best placed, either in respect of focusing efforts on the preparation of entirely new legislation specifically dealing with this form of misuse or perhaps instead on non-legal approaches. Generating the evidence to inform this consideration is the purpose of the next phase of this study. 39 CHAPTER 7 Country Summaries This chapter contains short summaries of the full country reports in Appendix 1: National Profiles. Before the summaries themselves, we present summary tables describing the overall picture across the countries studied. These include an overview using five criteria (Table 11): • Existence of specific legislation detailing ID theft • Existence of other applicable legislation that is suitable • Existence of notable case law regarding the successful application of legislation to address different specific instances of identity theft/misuse (as defined in the five characteristics in our study)74 • Existence of a dedicated reporting point, specifically for identity theft and identity-related misuse • Existence of awareness raising mechanisms. We also present tables (Tables 12 and 13) describing: • Sanctions (minimum, maximum and where data is available, the actual sanction awarded) • Characteristics associated with the reporting mechanism (eg, offline or online reporting, whether the victim has feedback or progress update). 74 Note that we do not include local or regional instances of case law which may illustrate discrepancies between towns or cities in the same country 40 RAND Europe & time-lex Chapter 7: Country Summaries Table 11 Overall country comparision Country Specific ID theft Relevant law? provisions in criminal law? Case law? Australia Austria Belgium Bulgaria Canada China Cyprus Czech Republic Denmark Estonia Finland France Germany Greece Hungary India Ireland Italy Japan Latvia Lithuania Luxembourg Malta The Netherlands Poland Portugal Romania Russian Federation Slovakia Slovenia Spain Sweden United Kingdom United States 41 Specific Public dedicated awareness reporting point? campaign? RAND Europe & time-lex Chapter 7: Country Summaries Table 12 Comparision of maximum and minimum sanctions Country Australia Austria Belgium Bulgaria Canada Sanction Maximum criminal sanction Up to 10 years (Criminal Code Part 7.3) Up to 10 years (Sec 148a StGB Penal Act) Minimum criminal sanction 1 year (Criminal Code Part 7.4) 3 months (Sec 108 Federal Act Enacting a Telecommunications Act - TKB - 2003) 15 days (Art 124 of Law of 13 June 2005) Up to 1 year (e.g. Art 319e Para 1 of Criminal Code) Up to six months (Section 342.01 Criminal Code) Czech Republic Up to 10 years (Article 196 Criminal Code) Up to 20 years (e.g. Art. 212 Criminal Code) Up to 14 years (Section 380(1) of the Criminal Code) Death (Article 192, 194 and 195 of Criminal Code) Up to 14 years (Part VIII of the Criminal Code. Section 333) Up to 12 years (Section 209 Criminal Code) Denmark Up to 6 years (Article 171 Criminal Code) 4 months (Act No 429 on the processing of personal data) Estonia Up to 1 year (Section 344) Luxembourg Malta Up to 5 years (Section 213 of the Criminal Code) Up to 4 years (Section 2 of Ch 33 of the Criminal Code) Up to 10 years (Article 441-4 Criminal Code) Up to 10 years (Section 263(1) Criminal Code) Life sentence (Article 1 of Law 1608/1950) Up to 10 years (Article 318 Criminal Code) Up to 10 years (Section 70, IT Act 2000 and 2008) Up to 10 years (Section 9 Criminal Justice (Theft and Fraud Offences) Act 2001) Up to 6 years (Art 497bis Criminal Code) Up to 10 years (Article 246 Penal Code) Up to 15 years (Section 177(1) Criminal Code) Up to 6 years (Section 2 of Article 196 of Criminal Code) Up to 10 years (Article 196 Criminal Code) 7 years (Article 308, Chapter 9 Criminal Code) The Netherlands 6 years (Article 255 Criminal Code) Poland Up to 8 years (Article 286 Section 1 Criminal Code) Up to 10 years (Article 4 Cybercrime Law; Law no. 109/2009) Up to 20 years (Art 215 Criminal Code) Up to 10 years (Article 159 Criminal Code) At least 3 months (Article 287 Section 1 Criminal Code) Up to 15 years (Article 221 Criminal Code ) Up to 10 years (Article 211 Criminal Code) Up to 8 years (Article 399bis Criminal Code) 6 years (Chapter 9 Section 3 Penal Code). Up to 10 years (Fraud Act 2006) At least 6 months (Article 226 Criminal Code) At least 3 months (e.g. Article 237 Criminal Code) At least 3 months (Article 392, no. 2) 6 months (9 Section 2 Penal Code) 12 months (Section 2. Computer and Misuse Act 1990 as amended by Police and Justice Act 2006) Up to 1 year (Section 2701-2711 Criminal Code) China Cyprus Finland France Germany Greece Hungary India Ireland Italy Japan Latvia Lithuania Portugal Romania Russian Federation Slovakia Slovenia Spain Sweden United Kingdom United States Life imprisonment (Title 18 Section 1030 US Criminal Code) 42 Up to three years (Art 23bis of Criminal Code) At least 2 years (Section 10 of law of 2004 ratifying Cybercrime convention) 6 months (Section 232 (1) (a) or (b) of The Criminal Code) At least 4 months (Section 2 of Ch 36 of Criminal Code) Up to 1 year (222-16-1 Criminal Code) Up to six months (Section 269 (3) Criminal Code) 3 months (Section 370C(2) Penal Code) Up to 1 year (Article 276 Criminal Code) Up to three years (Section 66 A IT Act 2000, 2008) Up to 3 months (Section 5 Criminal Damage Act 1991) At least 6 months (Article 640 Criminal Code) At least three months (Art. 258 Penal Code) Up to 2 years (Section 145 Law of 23 March 2000) Up to 2 years (Art. 198(2)) At least 8 days (Article 231 of the Criminal Code) Not exceeding 20 days (Article 308, Chapter 9 Criminal Code) Maximum 1 month (Section 1 Article 350b Criminal Code) At least 6 months (Article 256 Criminal Code) At least 3 months (Article 291 Criminal Code) Up to 3 months (Article 325 Criminal Code) RAND Europe & time-lex Chapter 7: Country Summaries Country Australia Austria Belgium Bulgaria Canada China Cyprus Czech Republic Denmark Estonia Finland France Germany Greece Hungary India Ireland Italy Japan Latvia Lithuania Luxembourg Malta The Netherlands Poland Portugal Romania Russian Federation Slovakia Slovenia Spain Sweden United Kingdom United States Online Online Online Online None None None None None Offline Online None None Online None Offline Offline Online None Online Online None Online Online None Offline None Online None None None None Online Online 43 n/a n/a n/a n/a n/a Feedback All crime ID theft Dedicated off/online portal? Table 13 Comparision of reporting mechanisms n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a RAND Europe & time-lex Chapter 7 Country Summaries Australia 7.1 Australia does not have a federal law which specifically criminalises ‘identity theft’, although a bill to that effect is before the federal parliament. This bill would introduce a new Part 9.5 ‘Identity crime’ into the Commonwealth Criminal Code. Although the bill is not yet federal law, mirror legislation has been adopted by several Australian states and it is therefore useful to summarise its main features. The bill would introduce the following three offences: Dealing in identification information; Possession of identification information; and Possession of equipment used to make identification documentation. Whereas the federal legislation still has not been passed by Parliament, most Australian states have now enacted specific identity theft crimes. South Australia and Queensland took this step before the introduction of the federal bill; other states have done so subsequently. Other laws that may apply to ID theft incidents • • • • Criminal Code (eg, Part 10.8 or Part 7.3 or Part 7.7) Privacy Act 1988 Spam Act 2003 Financial Transaction Reports Act 1988 Application of Relevant Laws in Practice While there is no reported case law arising under any of the specific identity theft provisions in Australian law, there appears to be a sufficient body of existing law which could be applied to prosecute perpetrators of identity theft in the examples considered. Reporting Mechanisms The Attorney-General’s Department maintains a website on identity security, which contains links to national strategies as well as a publication ‘Dealing with ID Theft’ (http://www.ag.gov.au/identitysecurity). This document, which is aimed at members of the public, provides preventative information and includes relevant points of contact for reporting incidents. Separately, the website SCAMwatch (http://www.scamwatch.gov.au) is maintained by the Australian Competition and Consumer Commission and includes an online form for reporting identity theft. Other informational websites are also in existence. Concluding Comments Whereas the federal identity theft bill of 2008 has still not been passed by Parliament, the five most populous states all now have specific identity theft crimes on the books. Generally, these are not standalone offences; they are based on an intention to commit or facilitate other criminal conduct. In this regard, they add to the inchoate offences already provided for by the common law or by statute, eg, attempting to commit a crime. From a law enforcement perspective, they are potentially useful because they criminalise conduct at an early stage, before it has gone far enough to constitute an attempt or conspiracy. However, in practice they have not been utilised. There are no cases arising under any of the specific identity theft provisions. This may simply reflect that the laws have not been on the books for very long, although in South Australia (albeit a jurisdiction of a little over 1m people) they have gone unused since their introduction in 2003. Another possible explanation is that policing of identity theft remains largely reactive. If this is the case, then 44 RAND Europe & time-lex Chapter 7 Country Summaries offenders are likely to have committed, or at least attempted, other crimes by the time they are arrested, making it unnecessary to overload the indictment with additional charges. Austria 7.2 No legislation has been introduced in Austria that focuses explicitly on ID theft as a specific crime, or that defines such a crime. In practice, ID theft incidents are combated using the general provisions below (in relation to personal data protection, ‘cyber crime provisions’, fraud, etc.). No such legislation is currently under consideration in light of the information available. Other laws that may apply to ID theft incidents • • • • Penal Act a (eg, Sec 148a) nd Provisions in Connection with ID Theft, Fraud, Forgery, and Cybercrime. Privacy and ID Protection Provisions in the General Civil Code Data Protection Act 2000 Data Protection Provisions in the Telecommunications Act 2003 Application of relevant laws in practice Despite there being no case law by the Higher Courts or the Austrian Supreme Court in the area of identity theft, there appears to be a sufficient body of existing law which could be applied to prosecute perpetrators of identity Theft in the examples considered. For example, unlawfully using another person’s credentials online could constitute a violation of the DSG 2000, since the credentials are likely to be considered personal data which are being unlawfully processed. In the case of using falsified identity documents to unlawfully apply for social benefits, this would constitute a violation of Sec 43 ABGB, and a violation of the DSG 2000. Reporting Mechanisms While websites exist for: providing information on safe use of the Internet (http://www.saferinternet.at) and; reporting offences related to child pornography or National Socialism (http://www.stopline.at), there is no general reporting site for ‘cybercrime’, and none for identity theft in Austria. Consequently, reports regarding identity theft should be reported to the general IT-Crime Department incorporated within the Federal Criminal Police Office (‘Bundeskriminalamt’) (http://www.bmi.gv.at/cms/BK/start.aspx). Concluding Comments It seems that the legal framework for combating identity theft incidents, but only the ones causing damages, is sufficiently comprehensive in Austria. However, there is no central contact point for reporting Internet crimes in general and identity theft in particular in Austria. Consequently, victims of identity theft are required to go through official channels (ie, registering a complaint with local police officers) up to the general IT-Crime Department incorporated within the Federal Criminal Police Office (‘Bundeskriminalamt’). This process seems to be rather non-transparent to victims. In general, identity theft does not appear to take a high priority in every day crime practice in Austria. 45 RAND Europe & time-lex Chapter 7 Country Summaries Belgium 7.3 No legislation has been introduced in Belgium that focuses explicitly on identity theft as a specific crime, or that defines such a crime. In practice, identity theft incidents are combated using the general provisions below (in relation to personal data protection, fraud, etc.). No such legislation is currently under consideration to our knowledge. Instead, the policy emphasis in Belgium is more on improving awareness of identity theft risks with potential victims and law enforcement bodies. Other laws that may apply to ID theft incidents • Criminal Code (eg, Art 196) and Provisions in relation to Fraud, Forgery and Cybercrime (eg, Art 496). • Data protection law: Law of 8 December 1992 protecting the private sphere in relation to personal data processing • Law of 13 June 2005 on electronic communication Application of relevant laws in practice There are a number of examples of successful prosecutions of ID Theft incidents in Belgium: • • • • In 2002 the criminal court of first instance in Liège ruled that the use of a false identity in a web forum to solicit erotic messages to a phone number which did not belong to him constituted fraud and stalking. A Supreme Court ruling in 2003 found that using a third party’s stolen credit card constituted computer-related fraud. A person who falsified his identity documents in order to obtain social benefits was sentenced to 3 years imprisonment by the Court of Brussels in 2004. In 2000 a hacker was convicted by the criminal court in Ghent for violation of communications secrecy laws, having collected ISP customer data (username, password, credit card numbers) which he then released to press agencies. Reporting Mechanisms The eCops reporting site (www.ecops.be) acts as a single contact point, through which any Internet-based crime incidents can be reported using standardised forms. Reports submitted via the site are automatically transferred to the Federal Computer Crime Unit (FCCU). The eCops site is primary aimed at allowing citizens to report Internet crime that they have observed but of which they were not the victims. Victims of identity theft and related crimes are recommended to contact their local police office directly. Concluding Comments The legal framework for combating identity theft incidents in Belgium appears to be sufficiently comprehensive, and has resulted in a number of successful prosecutions. The eCops site as a central contact point for reporting Internet crimes can be considered a positive development, although victims of identity theft are still required to go through local police offices, where the investigation process remains relatively non-transparent. 46 RAND Europe & time-lex Chapter 7 Country Summaries Bulgaria 7.4 No legislation has been introduced in Bulgaria that focuses explicitly on identity theft as a specific crime, or that defines such a crime. In practice, identity theft incidents are combated using the general provisions below (in relation to personal data protection, fraud, etc.). On the other hand, Bulgarian Criminal Code contains numerous provisions which fix punishments for specific crimes that may involve identity theft incidents. Other laws that may apply to ID theft incidents • • • Criminal Code (eg, Art 209) and Provisions in relation to Fraud, Forgery and Cybercrime. Personal Data Protection Act Electronic Communications Act Application of relevant laws in practice There are a number of examples of successful prosecutions of identity theft incidents in Bulgaria including: • • Bourgas Regional Court in 2008 found the accused guilty of mounting a special technical device on an ATM machine, through which he had acquired information contained on bank cards used at that ATM. Sliven Military Court in 2008 found the accused guilty of disclosing personal data (including names, personal identification numbers, addresses and photos) belonging to a group o natural persons, to a single natural person who was not entitled to access the data. Reporting Mechanisms A site (http://www.cybercrime.bg/index.html) was established by the Bulgarian Ministry of the Interior to act as a single point of contact for reporting Internet-based crime incidents. This website also contains useful and comprehensible information on some cybercrimes, including on the risk of identity theft incidents on the Internet and how citizens can protect themselves against such attacks. In addition, the website of the Bulgarian Personal Data Protection Commission allows online submission of any complaints related to any violation of data protection legislation (http://www.cpdp.bg/?p=pages&aid=6). Concluding Comments The legal framework for combating identity theft incidents in Bulgaria appears to be sufficiently comprehensive as there do not appear to be any examples of identity theft incidents which are not covered under present legislation. The establishment of a contact point for reporting cybercrimes can also be considered as a positive development. Nonetheless, there are a few weaknesses. Firstly, the reporting website is not subject to update or further development. Also, it is not very well promoted among the public. In practice, victims of identity thefts are still required to go through official channels (ie, registering a complaint with local police offices). Secondly, the investigation of incidents remains complicated in practice, especially in cross border cases. In addition, there is no regulation focused specifically on the online identity theft incidents which are not related to a fraud or other mercenary purpose but result only in moral damages. Such cases are not treated as crimes and respectively are not subject to criminal investigation. 47 RAND Europe & time-lex Chapter 7 Country Summaries Canada 7.5 On the 31st of March 2009 the Act to amend the Criminal Code (identity theft and related misconduct), Bill S-4, was introduced in the Canadian Senate. With its coming into force on the 8th of January 2010, the bill, which – with a few additional offences - covers the same provisions already proposed in 2007 by Bill C27, has amended the Criminal Code to cover identity-related crimes. In particular the bill aims to close the gap with respect to certain activities not previously covered by other provisions of the Criminal Code, such as preparatory activities. Other laws that may apply to ID theft incidents The following central federal laws regulate privacy and data security: • • • Criminal Code (eg, Section 403) and Provisions in relation to Fraud, Forgery and Cybercrime Personal Information Protection and Electronic Documents Act (PIPEDA) Privacy Act In addition, several privacy laws are also implemented at state and province level, for example, Ontario’s ‘Freedom of Information and Protection of Privacy Act’. Application of relevant laws in practice Given the Act to amend the Criminal Code (identity theft and related misconduct) has only come into force in the beginning of 2010, one will have to see how these new provisions are going to be applied over time. Existing privacy law has been used effectively, for example to change the business practices of a company which collected email addresses from public websites for marketing purposes. Reporting Mechanisms There is no one-stop-shop mechanism in place for reporting identity theft-related crimes in Canada; rather there are several points of information on fraudulent activities in general (including identity theft) and a few that specifically target identity theft. These websites and hotlines are operated by a range of different entities, including Canadian law enforcement agencies, ministries and other governmental entities, as well as non-for profit organizations. An example would be the Canadian Anti Fraud Center (http://www.phonebusters.com). However, none of these hotlines/websites seem to coordinate the further process, rather they provide guidance on the steps to be taken after having become a victim, and raise awareness by providing information material to the public. Concluding Comments In light of the federal structure that provides in certain relevant areas for decentralized layers of applicable regulation in addition to the federal level (eg, data privacy regulation), it has to be cautioned that the assessment of the most important legislation on federal level can of course not provide an exhaustive picture. However, in particularly taking into account the most recent amendments of the criminal code with respect to identity theftrelated crimes, it seems that overall the legal framework for combating identity theft incidents in Canada is quite comprehensive. How effective the enforcement of the new provisions will be remains be seen, however. While there is a broad range of information available online on how to prevent identity theft and what to do in case it happens, there is 48 RAND Europe & time-lex Chapter 7 Country Summaries no one-stop shop point for reporting. Victims still have to report to the local law enforcement office, and contact several administrative agencies in order to remedy the identity theft. China 7.6 There is no legislation in China that focuses explicitly on identity theft as a specific crime, or that defines such a crime. In practice, identity theft incidents are combated using the relevant provisions in a variety of laws (in relation to privacy protection, fraud, forgery of authority documents, etc.). Other laws that may apply to ID theft incidents • • • • • Criminal Code (eg, Article 192, 194 and 195) and Provisions in relation to Fraud, Forgery and Cybercrime Measures for the Administration of Protecting the Security of International Connection to Computer Information Networks (Article 17 December 1997) Measures for Administration of Email Service on the Internet Law on the Identity Card of Residents (Article 17 and 18 of Law of 28 June 2003) Tort Liability Laws applied to privacy breaches (Art 2 of Law of 26 December 2006) Application of relevant laws in practice There are examples in case law of prosecutions of both offline and online identity theft offences. For example, a mother who in 2004 paid to swap her daughter’s identity with that of another person, in order for her daughter to attend university, was sentenced to a four year fixed term imprisonment. In another case, in June 2009 four phishing website operators were arrested and imprisoned for the crime of fraud. Finally, in 2009 an individual, who illegally purchased a detailed log of telephone calls made by high-ranking local government officials, then sold it to fraudsters who used it to impersonate the officials in order to extract money from their friends, was sentenced to 18 months imprisonment. Reporting Mechanisms In China, no governmental reporting mechanisms are dedicated exclusively to identity theft. Cybercrime or other forms of fraud may be reported to the police, in the same way as any other type of crime. Some non-governmental reporting mechanisms have been established in some regions. They are however not operated by law-enforcement agencies and have only an informational function or provide a technical solution. Concluding Comments China has no specific anti- identity theft law, nor is there any specific legal stipulation on identity theft. The legal sources are relatively sporadic (ie, with little coordination) and complicated. With respect to the criminal punishments, identity theft can be criminalized as fraud, forgery, hacking or computer system interference, etc. depending on the circumstances of the cases. With respect to the administrative punishments, there are a number of laws or regulations addressing the issue from different perspective, such as computer security, privacy and personal data, confidence and communication, etc. The legally complex situation frequently puzzles the enforcement agencies. Civil liability is generally weak and poorly enforced. Most identity theft victims don’t receive any monetary 49 RAND Europe & time-lex Chapter 7 Country Summaries compensation and experience tremendous difficulty in resuming their own identity. There is no centralized identity theft reporting and protection mechanism provided by any law or operated by any governmental agency. identity theft cases are primarily handled by police and have to undergo the regular lengthy procedure of investigation and prosecution, which cannot provide timely legal remedies to the victims. Cyprus 7.7 Even though there is no specialised legislation applicable in Cyprus concentrating solely on identity theft criminal issues, nevertheless, identity theft incidents may be combated using other laws and regulations concerning cybercrime, personal data protection, criminal sanctions, fraud, etc. Other laws that may apply to ID theft incidents • • • • • Criminal Code (Section 297) and Provisions in relation to Fraud, Forgery and Cybercrime Law of 2004 Ratifying the Cybercrime Convention of 2001 The Processing of Personal Data Law of 2001 Law Regulating Electronic Communications and Postal Services of 2004 The Law for the Protection of Confidentiality of Private Communications (Interception of Conversations) of 1996 Application of relevant laws in practice While the existing laws appear to be sufficient to address identity theft, it should be noted that there is no readily available information about case-law at first instance level because in Cyprus only cases at appeal level are recorded. Therefore, there may have been cases judged on identity theft. Examples do exist of prosecutions, for example in 2009 there were 40 complaints filed with the Office of the Commissioner for the Protection of Personal Data regarding unsolicited marketing against an email marketing company. A fine of EUR 8000 was imposed. Reporting Mechanisms SafenetCY is the Cyprus Self Regulatory Body for Internet Content. It is the Hotline that promotes the safe use of Internet in Cyprus. Every report is recorded at SafeNetCY’s Database. From that point every procedure has to be completed no later than 24 hours from the time the report was made. The procedures include: verification, tracing the source, notifying Cyprus Police and notifying foreign hotlines if necessary. Usually, victims of ID theft report an incident directly to the police by visiting a police station of their area. Concluding Comments Due to the fact that the Republic of Cyprus has ratified the Cybercrime Convention and has harmonised Cypriot legislation with the applicable acquis communautaire, globally, it can be said that the legal framework for combating identity theft incidents in Cyprus is adequate. The establishment of the SafenetCY Hotline has also facilitated the establishment of efficient reporting mechanisms. Victims of identity theft may report any event either through the SafenetCy Hotline or appeal directly to the Police. The SafenetCy Hotline is not promoted as a site for reporting Internet crimes only by non-victims but to the contrary it is a forum for actively protecting victims. identity theft appears to take a 50 RAND Europe & time-lex Chapter 7 Country Summaries high priority in investigations, especially in cases of clear and significant harm to the victim. There are many reports in various public media regarding the Police’s efforts and work in fighting cybercrime and identity theft especially where there are sexual offences against minors involved or theft. Investigation of incidents in cross border cases is regular in collaboration with INTERPOL and EUROPOL. There have been many instances where persons have been extradited to their country of origin in order to be tried for cybercrime offences committed on an international level. Czech Republic 7.8 No legislation exists in the Czech Republic that focuses explicitly on identity theft as a specific crime, or that defines such a crime. Introducing identity theft as a crime had been considered during the preparation of the new Penal Code in 2009; however no such crime was included when the Penal Code was adopted. Other laws that may apply to ID theft incidents • • • • The Criminal Code (eg, Section 209) and Provisions in relation to Fraud, Forgery and Cybercrime Data Protection Act 2000 Electronic Communications Act The Civil Code (Section 11 of Civil Code of Feb 26 1964) Application of relevant laws in practice In 2008 an offender stole a passport of another person and acted as this person during criminal proceedings concerning theft, in which the offender was also found guilty under the other person’s name. The offender was subsequently accused of a criminal offence consisting in harming a third party’s rights. The criminal proceedings are ongoing and a sanction has not been imposed yet. The sanction may be imprisonment for up to two years. In addition, there have been several cases involving phishing in relation to which a criminal investigation has been initiated, but to our knowledge no final judgements have thus far been issued in these cases. Reporting Mechanisms Where ID theft can be considered a violation of criminal law the incident is to be reported to the Police in line with standard procedures. No special reporting mechanism has been established. The following websites focus on safety on Internet. The first forms part of the EU program ‘Safer Internet’, the second and third websites have been endorsed by the Czech Police and Ministry of Education: • • • http://www.saferinternet.cz/o-projektu http://www.emag.cz/komiks-bezpecny-internet/ http://www.internethotline.cz/co-a-jak-hlasit-co-nehlasit.htm Concluding Comments The Czech Republic has adopted a new law significantly changing the punishment of cybercrime. With its entry into effect on 1 January 2010, the new Criminal Code includes a range of provisions sanctioning cybercrime. The proposals for these provisions were based on the Cybercrime Convention approved by the Committee of Ministers of the 51 RAND Europe & time-lex Chapter 7 Country Summaries European Council in 2001 (the Convention), which the Czech Republic signed in 2005 (but which has yet to be ratified by the Czech Republic). Another related issue is the lack of incentives to report identity theft. For example, the banks and other financial institutions whose clients fell victim to identity theft were often reluctant to report these crimes to the law enforcement authorities out of fear for reputational damage and loss of credibility, and they preferred instead to compensate their clients for any financial losses. The new Criminal Code takes into consideration recent developments in information technology and the know-how of cybercriminals, heralding a significant change in the prosecution of cybercrime in the Czech Republic. Denmark 7.9 No legislation has been introduced in Denmark that focuses explicitly on identity theft as a specific crime, or that defines such a crime. In practice, identity theft incidents are combated using the general provisions below (in relation to personal data protection, fraud, etc.). Other laws that may apply to ID theft incidents • • • The Criminal Code (Article 171) and Provisions in relation to Fraud, Forgery and Cybercrime Act on processing of personal information (Act No 429 31 May 2000) Consolidation Act on competition and consumer relations within the telecommunications market, 28 June 2007. Application of relevant laws in practice Several cases are known in relation to using a third party’s stolen credit card, which is found to constitute fraud. In the online sphere, in a case from 2000 decided by the Eastern High Court a person was convicted for getting access to a third party’s computer and passwords by using a hacker program. The hacker was sentenced to imprisonment with suspended extension. The length of imprisonment was not decided. The result was the same in another case from 2002 published in Ugeskrift for Retsvæsen, 2002, p. 1064. Reporting Mechanisms No general identity theft reporting mechanisms exist in Denmark. The Danish IT and Telecom Agency has launched a website called ‘IT-citizen’ which also provides information on security aspects, including identity theft (http://www.it-borger.dk/sikkerhed). Concluding Comments It seems that the legal framework for combating identity theft incidents in Denmark is sufficiently comprehensive, as there do not appear to be any examples of identity theft incidents which are not covered under present legislation. Some criticisms have been raised that creating a false identity on-line would not be prohibited under Danish law. However it must be expected that such actions would be covered by the Danish data protection act and further by articles under the Criminal Code depending on how the false profile is created and which information is received. It could be considered a weakness that no general contact point for reporting identity theft exists. However at present this does not seem to have caused any public criticisms. 52 RAND Europe & time-lex 7.10 Chapter 7 Country Summaries Estonia The main provisions that regulate the identity theft in Estonia as a specific crime or that define such a crime are written in the Estonian Penal Code. In Estonia criminal offences, including identity theft, can only be regulated in the Penal Code. Under the Penal Code identity theft has been criminalised since 15.03.2007. Other laws that may apply to ID theft incidents • • • Penal Code, 2002 (e.g Section 209) Personal Data Protection Act, 1 January 2008 The Constitution of the Republic of Estonia, 3 July 1992 Application of relevant laws in practice The Estonian Supreme Court (‘Riigikohus’) dealt with cases where third party’s Bank Identifier Codes have been used to get access to Internet Bank Account. The Supreme Court found this to constitute computer-related fraud. For an offline example, the Estonian Supreme Court ruled on a case in 2009 where a person falsified an important identity document (ex § 347 of the Criminal Code), id est a passport, to conclude a buying contract of mobile phones. Reporting Mechanisms Victims of identity theft or identity-related incidents are recommended to contact the local Police directly. The website of the Estonian Police and Border Guard Board (http://www.politsei.ee/et/nouanded/it-kuriteod/) provides information about identity crimes and how to protect oneself and how to contact the police if you are a victim of identity theft or IT crime. The police also provide information about fraud and computerrelated fraud. To raise Computer Security and identity theft awareness among the general public several other informational websites have been launched (see for example http://www.arvutikaitse.ee and http://www.assapauk.ee). Concluding Comments The legal framework for combating identity theft incidents in Estonia is sufficiently comprehensive and flexible. There do not appear to be any examples of identity theft incidents which are not covered under present legislation. One weakness is that the country does not have any identity theft reporting mechanisms (websites) but there is always the possibility to report the malpractice to the Police. Victims of identity theft are required to go through official channels to report about the theft (ie, registering a complaint with local police). This process can be slow and it seems that identity theft does not appear to take high priority in investigations, except in case of clear and significant harm to the victim. 7.11 Finland No legislation has been introduced in Finland that focuses explicitly on ID theft as a specific crime, or that defines such theft as a crime. However, stealing and/or using someone else’s ID would most likely constitute violation of other provisions of law (eg, Personal Data Act, 523/1999, and Criminal Code, 39/1889). 53 RAND Europe & time-lex Chapter 7 Country Summaries The Finnish Ministry of the Interior has set up a working party to assess the protection of identity by legal means and the report of the work should be published during the spring of 2010. Pursuant to the initial information given by the Ministry of the Interior, the working party will not be proposing criminalization of identity theft as a specific crime but will submit this issue to be further considered by the Finnish Ministry of Justice. Other laws that may apply to ID theft incidents • • • Criminal Code (eg. Section 2, Ch 36) and Provisions in relation to Fraud, Forgery and Cybercrime Personal Data Act 1999 The Act on the Protection of Privacy in Electronic Communications Application of relevant laws in practice There are several cases specifically in relation to using a third party’s stolen credit card. Paying purchases with a stolen credit card is considered as a fraud in Finland. However, most of these offences are not made on-line. For example, in 2009 the Kouvola Court of Appeal ruled that usage of a found credit card and falsifying the signature when paying by the card constituted a fraud and forgery. Reporting Mechanisms In Finland one can report identity theft to a police if it involves a suspected crime. It is possible to do an electrical report of an offence via police’s website. The website offers special forms for reporting crimes (http://www.poliisi.fi). Finnish Communications Regulatory Authority (in Finnish: Viestintävirasto) is an authority which maintains an overview of the functionality of electronic communications networks and information security, and reports of eventual information security threats. There is a form for reporting information security offences available in the website as well as basic instructions on information security matters. It is also possible to inform all cases which involve the misuse of personal data to the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto) which is an independent authority operating in connection with the Ministry of Justice. The website includes a lot of information on data protection in general as well. Concluding Comments The main challenge/problem in Finland seems to be that identity theft itself is not criminalized and so the Criminal Code covers certain forms/types of identity thefts only. identity theft is not a criminal offence unless it involves unlawfully appropriating of property (fraud) or spreading false information or a false insinuation of another person so that the act is conducive to causing damage or suffering to that person or subjecting that person to contempt (defamation). Further, one can argue it is problematic that in cases of fraud the injured party of ID theft is not considered to be the person whose identity has been stolen but for example the store where the purchase was made with the false identity. Based on the above, one can likely argue the current legislation does not protect the ‘real’ injured party enough. 7.12 France The French Criminal Code contains a specific provision for identity theft (Article 434-23). The wording of this article, however, leaves out a number of cases wherever identity theft 54 RAND Europe & time-lex Chapter 7 Country Summaries does not trigger any legal or economic consequence for the victim. Such acts are nowadays pursued under other crimes such as libel or misappropriation of correspondence. However, conducts which do not constitute by themselves a crime remain unpunished. This is for instance the case of fraudulent use of emails by third parties for, for example, affiliating the victim to a political party or other associations. Similarly, phishing can not be currently punished under Criminal Law if not followed by potential initiation of criminal prosecution against the victim. In order to solve this legal loophole, the creation of a new crime that would punish identity theft in electronic communications is currently being discussed by the French Parliament. If approved, the act (known as LOPPSI 2) would introduce a new article into the Criminal Law Code. Other laws that may apply to ID theft incidents • • • Criminal Code (Article 441-4) and Provisions in relation to Fraud, Forgery and Cybercrime Data protection law (Act n°78-17 of 6 January 1978) Civil Code (Article 9) Application of Relevant Laws in Practice There are a number of examples of successful prosecution of identity theft offences in France including: • • The ruling of the Supreme Court of 20 January 2009. The authors of the crime had published pictures of the victim naked on Internet making use of her email address. The offenders have been convicted on the basis of article 434-23 of the Penal Code (identity theft) and the right to privacy. In the High Court ruling of 2004, the First Instance Tribunal of Paris sanctioned a phishing attack on the basis of fraud, unlawful access to a computer system and unlawful alteration of data contained in such system. The convicted had mirrored a bank website and by these means managed to order transfers of funds of his victims to chosen bank accounts. The offender has also been convicted for attempted fraud and fraudulent access to an automated data processing system and received a suspended prison sentence of one year and a fine of 8,500 euros. Reporting Mechanisms There is no specific identity theft reporting mechanism in France. Several public awareness campaigns have been launched on the basis of private initiatives, mainly related to financial identity theft. Concluding Comments It seems that the legal framework for combating identity theft incidents in France is sufficiently comprehensive. The identity fraud offence as punished under the Criminal Code is hardly used in legal procedures when it comes to online identity fraud. Other crimes are better suited to protect the victims from these practices such as fraud or unauthorised access to an information system. The introduction of a new crime of digital identity theft will better address the problems raised by online identity theft. 55 RAND Europe & time-lex 7.13 Chapter 7 Country Summaries Germany No legislation has been introduced in Germany that focuses explicitly on identity theft as a specific crime and hence defines such an identity theft crime. In practice, identity theft incidents are combated using the general provisions of the laws set forth below, in particular in relation to the laws concerning the right to one’s own name, the protection of personal data against unauthorised use, and the criminal offences of data espionage, data interception, data-related forgery, fraud, computer-related fraud, data alteration and computer sabotage. Other laws that may apply to ID theft incidents • • • Criminal Code (Section 263 (3)) Telecommunications Act (eg, Section 88) Federal Data Protection Act Application of law in practice There are a number of examples of successful prosecution of identity theft offences in Germany including: • • • In civil proceedings, claimants have based their action against the unauthorised use of their name by another person on the infringement of their right to their own name pursuant to section 12 BGB. There is a string of well established cases where courts have found that this right to one’s own name entitles to forbid the unauthorised use of the same name by another person, in particular if the use of the same name causes a likelihood of confusion. In both civil and criminal proceedings concerning the unauthorised use of unlawfully obtained data containing personal identity information, courts have found that the unauthorised use of such unlawfully obtained data for a transaction causing damage to the victim’s financial position may constitute a criminal offence of fraud or computer-related fraud. Prevailing case law criminalises the act of using spyware itself as a hacker tool preparatory to an intended data espionage, data interception, data tempering or computer sabotage only if this spyware has been objectively designed or adapted primarily for the purpose of committing intended data espionage. Reporting Mechanisms There is no German language website which is dedicated solely and exclusively to identity theft where victims of ID theft could use an official reporting mechanism in order to file their charges. However, several websites focussing on Internet security and cybercrime in general offer valuable advice and guidance for consumers who seek to protect themselves against identity theft (for example http://www.bfdi.bund.de). Concluding Comments In general, it seems that the legal framework for combating identity theft in Germany is sufficiently comprehensive, as there do not appear to be any relevant cases of identity theft incidents which may not be covered by the available laws at present. Data breach disclosure laws act as one remedy for identity theft. The effectiveness of data breach disclosure law relies on the actions taken thereupon. Therefore, it is important to raise public awareness 56 RAND Europe & time-lex Chapter 7 Country Summaries of identity theft risks with consumers, businesses, state agencies and law enforcement bodies. 7.14 Greece No legislation has been introduced in Greece that focuses explicitly on identity theft as a specific crime, or that defines such a crime. In practice, identity theft incidents are combated using the general provisions below (in relation to personal data protection, fraud, etc.). No such legislation is currently under consideration to our knowledge. Instead, the policy emphasis in Greece is more on improving awareness of ID theft risks with potential victims and law enforcement bodies. It should be noted that Greece has still not ratified the Council of Europe Convention on Cybercrime nor has it transposed the EU Council Framework Decision 2005/222/JHA of 24 February 2005 on attacks against information systems into the Greek legal system. Other laws that may apply to ID theft incidents • • • Penal Code (eg, Art 386) Protection of Individuals with regard to the Processing of Personal Data. Protection of personal data and privacy in the electronic telecommunications sector. Application of law in practice There are a number of examples of successful prosecution of identity theft offences in Greece including: • • • A defendant created a Facebook account under a fake name and posted defamatory information about and documents of the plaintiff. This act was considered as unlawful processing of personal data and violation of the personality of the defendant. However it should be noted that the decision on the case is not final yet. Several cases of prosecution are known, specifically in relation to using a third party’s stolen credit/debit card. In a case in which the defendant was intercepting credit card and identity details online and selling them to third parties via the Internet, the Supreme Court ruled that Fraud (and not Fraud with a computer) had taken place. Reporting Mechanism Saferinternet.gr (www.saferinternet.gr) is the awareness-raising and information website of the Greek Awareness Centre, under the auspices of the Hellenic Ministry of Economy and Finance/Special Secretariat of information society in cooperation with various private and public market players. Saferinternet.gr serves as an information portal for Internet-based crimes, but focuses also on identity theft. The hotline SafeLine (http://www.safeline.gr/) exists for the reporting of violations (including identity theft incidents). Although SafeLine focuses mainly on illegal Internet content, it is also used as the reporting mechanism for any Internet-based crime, including identity theft. 57 RAND Europe & time-lex Chapter 7 Country Summaries Concluding Comments Greece has still not ratified the Council of Europe Convention on Cybercrime (185). Similarly it has not transposed the EU Council Framework Decision 2005/222/JHA of 24 February 2005 on attacks against information systems into the Greek legal system, analysis shows that most of the identity theft cases can be covered under the current legislation. 7.15 Hungary Identity theft is not a specific crime under Hungarian legislation. While some elements related to identity theft, such as personal data abuse, illegal access to computer systems or communications networks are covered by specific acts, these behaviours are punishable under the Criminal Code as well as fraud and forgery. The preparation of the bill on IT Security was finished in 2009. The bill gives the definition of identity theft, and if it will be enacted timely these crimes should be sanctioned by the (amended version of the) Criminal Code from January 1, 2011. Other laws that may apply to ID theft incidents • • • Criminal Code (eg, Article 318) Protection of Personal Data and the Disclosure of Information of Public Interest. Act on electronic communications Application of law in Practice In a case in 2007, the Municipal Court heard the case of a bank employee and an accomplice who without authorization collected the account details of 7 clients containing large amounts of money from the bank information system and transferred money into two bank accounts opened using lost and falsified identity documents. The Municipal Court found the defendants guilty of fraud together with the crime of violation of banking secrecy and the offense of forgery of official documents. 2302 denunciations were made because of abusing personal data in 2007 according to the statistics of the General Prosecutor's Office from this the investigation was ceased in 2207 cases in the prosecutorial phase. Much less, 262 denunciations arrived in 2008, but among these 158 investigations ceased, and in 68 cases the denunciation was rejected. The majority of the rejections happened because of the deficiency of the significant injury of interest. Reporting Mechanisms If action is required the incident should be reported to the police. The police shall answer in three days or inform about the responsible authority. This is a general rule covering identity theft or other online-related crime as well. The National Cyber security Center publishes daily and weekly reports about vulnerabilities, risks and incidents and quarterly a summary and analysis, with other professional papers. It operates the National General Duty Service of Informatics and Communications, an onsite 24/7 duty service to handle incidents. Concluding Comments The legal framework is sufficiently comprehensive in the field of personal data protection and computer crime. The act on electronic communications regulates the functions of the state and the service providers essentially governed by market competition. The act 58 RAND Europe & time-lex Chapter 7 Country Summaries provides for the protection of systems security, however, it does not prohibit any form of unauthorized access by any unauthorized natural or judicial individual which is sanctioned by the Criminal Code at the same time. The preparation of the bill on IT Security in 2009 should be considered positively, should it be soon enacted by the Parliament. 7.16 India There is no general data protection law in India. The Constitution of India, ratified in 1950, does not explicitly recognize the right to privacy. However, the Supreme Court first recognized in 1964 that there is a right of privacy implicit in Article 21 of the Constitution, which states, ‘No person shall be deprived of his life or personal liberty except according to procedure established by law’. Here there is no mention of the word ‘privacy’ instead the term ‘personal liberty’ has been used. The Information Technology Act 2000 (IT ACT 2000) was notified on Oct 17, 2000 by the Indian Parliament. An amendment to the 2000 Act was proposed in 2005/2006, it was amended through the Information Technology Act 2008 and was notified by the Indian Parliament on Oct 27, 2009. The amended Act addresses a lot of cyber security, and privacy issues. Other laws that may apply to ID theft incidents • • • Indian Penal Code, 1960 IT ACT 2000 Special Relief Act, 1963 Application of law in Practice Several examples exist of applying existing law to identity theft cases, particularly in the areas of unlawfully using another person’s credentials, and trafficking in unlawfully obtained pictures and videos. Reporting Mechanisms Indian citizens have many venues to report identity theft: • Indian Computer Emergency Response Team (CERT-IN) • Cyber Crime Investigation Cells http://www.cybercellmumbai.com/ in Mumbai) • Cyber Crime police stations; http://www.cyberpolicebangalore.nic.in/ an across example India in (eg, Bangalore The caveat is that the reporting mechanisms are not promoted as they should be and therefore, the numbers of incidents that are reported are far less than actual ones. Concluding Comments The laws appear sufficient to cover all incident of identity theft in some form or the other, but the problem seems to be the gap between the technologist and lawyers in India. There is very little interaction between these two communities. There is also a dearth of knowledge on the techno-legal aspects of the identity theft issue. One main thing that India needs to look at is capacity building, to train technologist about law and lawyers/investigating officers about technology. Given the plethora of issues and huge population in India, it may not be appropriate to expect quick responses with respect to 59 RAND Europe & time-lex Chapter 7 Country Summaries solving the identity theft problem. Some of these cases take long time and it is highly likely that there are many cases that are being discussed in the court as this report is written. 7.17 Ireland There is no Irish legislation focusing specifically on identity theft. Identity theft incidents would be dealt with through provisions relating to fraud or data protection. No such identity theft laws are currently under consideration by the lawmaker according to the available information. Other laws that may apply to ID theft incidents • • • • • Criminal Justice (Theft and Fraud Offences) Act 2001 Criminal Damage Act 1991 Data Protection Acts 1988 Data Protection (Amendment) Act 2003 Postal & Telecommunications Services Act 1983 Application of law in Practice There are relatively few examples in case law of identity theft-related incidents. However, one example of Irish law in practice was the dealing by the Data Protection Commissioner with an inquiry relating to an offer of the ‘gift’ of a database of names and addresses that had been made to a charity. The charity asked for advice from the Commissioner’s office as to whether they could accept this gift. The Commissioner expressed the view that acceptance of the gift would involve breaches of the fair obtaining and compatible processing requirements of the Data Protection Acts. In addition, a number of prosecutions have taken place for passport fraud. Reporting Mechanisms No dedicated identity theft reporting mechanisms exist. The ‘www.hotline.ie’ service provides a facility for the public to report suspected illegal content encountered on the Internet. It is mainly concerned with material such as child pornography but it appears that it does receive complaints concerning identity theft and phishing. Concluding Comments Regarding the issue whether or not the laws are sufficiently flexible to cover all incidents of identity theft, the laws appear to be suitable in terms of covering all incidents of identity theft in Ireland. The Data Protection Commissioner is of the view that identity theft is not a significant issue in Ireland. The Commissioner takes the view one reason for this is the absence of a unique national identity number in widespread use. For what concerns the application and effectiveness of these laws in practice, the main challenges include issues relating to detection and the gathering of evidence. The often cross jurisdictional nature of the problem exacerbates these problems. Regarding the reporting mechanisms and following up of investigation, there is no dedicated identity theft reporting mechanism in place. While such a mechanism could be useful, the establishment of a new reporting mechanism could be a source of confusion to the public. It might therefore be better to run a public information programme making it clear that incidents of identity theft should be reported to the Data Protection Commissioner or, where there is criminal intent, to the 60 RAND Europe & time-lex Chapter 7 Country Summaries police. The institution of a mechanism for the online reporting of identity theft involving criminal intent via the Garda website could be explored. 7.18 Italy No legislation has been introduced in Italy that focuses explicitly and directly on identity theft as a specific crime, or that defines such crime comprehensively. Currently, identity theft-related crimes, in their various expressions, are contrasted through the general provisions below listed. No such legislation is currently under evaluation or definition. The policy emphasis in on improving awareness of such crime among citizens and on law enforcements bodies. Other laws that may apply to ID theft incidents • • • • Code of criminal procedure (Art 640 ter) Italian Constitution Code of protection of personal data Code of conduct for telecommunications Application of law in Practice There are a number of examples of successful prosecution of identity theft offences in Italy including: • • In 2008, a cyber attack against the Italian Group ‘Poste Italiane’ (Italian Post Company) and one of the major banking and financial institutions (Banca Intesa) was prosecuted under art. 494 of the Criminal code (‘substitution of person’), calling for the intent of criminals to use false identity to break into the companies’ electronic systems and steal money. Cases of ‘sms phishing’ and online phishing have been prosecuted. For example, in 2008 a courthouse condemned a 24 year old man for ‘manipulation of electronic communication for the purpose of fraud’ to 1 year and 8 months imprisonment. Reporting mechanisms • Polizia Postale e delle comunicazioni (TLC and Postal Police): the specialized police branch in prevention of cyber crimes and investigation for electronic crimes, prevention of hacking, secrecy of communication and the fight to online pedo-pornography. It operates through 20 regional offices and an electronic window for reporting crimes. • Commissariato online (online police office): the most recent and state-of-the art reporting mechanism. Through an electronic window (http://www.commissariatodips.it/) crimes can be reported directly and with instant opening of a crime report Concluding Comments From a general perspective, the Italian legislation to prevent and punish identity theft and other cyber-related crimes is in quick and growing evolution. Within the framework of European cooperation, Italy is updating most of its civil and criminal provisions to fight such phenomena. Furthermore, there is a divisive political debate involving the Italian Parliament and social actors about a potential reform of the law on secrecy of 61 RAND Europe & time-lex Chapter 7 Country Summaries communications (mainly based on wiretapping procedures and guarantees). It is highly probable that the law will change very soon, implying a more restrictive interpretation of procedures to authorize wiretapping and harsher sanctions for people violating data protection (especially in terms of news leaks). 7.19 Japan No legislation has been introduced in Japan that focuses explicitly on identity theft as a specific crime, or that defines such a crime. In practice, identity theft incidents are combated using the general provisions below (in relation to personal data protection, fraud, etc.) No such legislation is currently under consideration to our knowledge. Instead, the policy emphasis in Japan is more on improving awareness of identity theft risks with potential victims and law enforcement bodies. Other Laws that may apply to ID theft incidents • • • • • • Penal Code (eg, Act No. 45 of April 24, 1907) Act on the Protection of Personal Information Held by Administrative Organs Act on the Protection of Personal Information Held by Independent Administrative Agencies Act on the Prohibition of Unauthorized Computer Access Family Registration Act Passport Act Application of law in practice There are a number of examples from case law in Japan relating to the claiming of a false identity online, unlawfully using another person’s credentials, phishing, and trafficking in unlawfully obtained personal information. Reporting Mechanisms In Japan, there exists no dedicated reporting mechanism for on-line or offline identity theft. However a website called ‘National Police Agency, Internet safety and security consultation (keisatsucho intanetto anzenn anshin soudan)’ (http://www.npa.go.jp/cybersafety/) provides information and consultations services related to phishing and unauthorized access to information. There are a number of other websites which provide information on identity theft and cybercrime, including the National Policy Agency’s ‘Cybercrime Project’ (http://www.npa.go.jp/cyber/). Concluding Comments Globally, it seems that the legal framework for combating identity theft incidents in Japan is sufficiently comprehensive, as there do not appear to be any examples of identity theft incidents which are not covered under present legislation. In Japan there is not a portal site to report Internet crime, but various organizations including the National Police Agency continue to work on informing the public. None the less, there are also a few weaknesses. Firstly, when the victim encounters or almost encounters damage from cybercrime, the police offices conduct a consultation and a report, but they do not come to public attention. Victims of identity theft are required to go through official channels (ie, registering a complaint with local police offices). identity theft does not appear to take a high priority in investigations, except in cases of clear and significant harm to the victim. 62 RAND Europe & time-lex Chapter 7 Country Summaries Secondly, the investigation of incidents remains complicated in practice, especially in cross border cases. In Japan, many people do not seem to understand yet the value placed on information, and the menace of the fraudulent use of information. 7.20 Latvia In Latvia no laws which focus explicitly on identity theft have been introduced. The phenomenon of identity theft, which may take multiple forms, is combated with the help of the general laws, related to personal data protection, provision of communications services, as well as with the help of various administratively and criminally punishable offences. To our knowledge, no legislation, focusing explicitly on identity theft, is currently being considered. However, in the beginning of March of this year the Cabinet of Ministers has tasked the Ministry of Transportation to develop a new law on cyber security. Other laws that may apply to ID theft incidents • • • Criminal Law (eg, Section 177) Personal Data Protection Law Electronic communications law Application of law in practice Although no case law related to identity theft is publicly available, there do not appear to be any examples of identity theft incidents which are not covered under present law. For example, the act of phishing would like be, amongst other things, a violation of the personal data protection law, since the credentials are likely to be considered personal data which being unlawfully processed. The act of using falsified documents to unlawfully apply for social benefits would likely be a violation of Section 275 of the Criminal Law (Forgery). Reporting Mechanisms Computer incidents can be reported either by telephone or online at [email protected] to the Computer Security Incident Response Team (DDIRV), which initially was established as a department of the State information network agency. DDIRV’s basic service (for example, recommendations in case of computer security incidents) is available for both registered and unregistered clients, but only IT administrators of State and municipal institutions can voluntarily register for additional benefits like pre-emptive information about threats that might affect their systems. In addition, suspected illegal operations with personal data should be reported to Data State Inspectorate, by submitting the application either personally or via post, or by sending information electronically (if signed by a secure electronic signature). Concluding Comments It seems that the legal framework for combating identity theft incidents in Latvia is sufficiently comprehensive. The tradition of defining administratively and criminally punishable offences in codified laws – the Latvian Administrative Violations Code and the Criminal Law, respectively, is long-standing, and therefore an absence of a specific law, focusing explicitly in identity theft, does not seem to create any difficulty, since the existing sources may easily apply to identity theft incidents. On the other hand, earlier this year a 63 RAND Europe & time-lex Chapter 7 Country Summaries large amount of personal data was stolen from the information systems of the State Revenue Service. The data about the incomes of persons is publicly revealed from time to time, and it seems that the State Police has had huge difficulty finding persons responsible for the. This highlights the challenge is often the practical implementation of the laws rather than with the laws themselves. Moreover, data about the actual number of administrative and criminal offences related to identity theft, as well as a complete database of the court practice, is not publicly available. 7.21 Lithuania No legislation has been introduced in Lithuania that focuses explicitly on identity theft as a specific crime, or that defines such a crime. In practice, identity theft incidents are combated using the general provisions below (in relation to personal data protection, fraud etc.). No such legislation is currently under consideration according to the information available. Other laws that may apply to ID theft incidents • • • The Criminal Code (eg, Article 198) Legal protection of personal data, 1996 Law on Electronic Communications, 2004 Application of law in practice Several cases are involving falsified identity documents, specifically in relation to using falsified passports. For example the Supreme Court of Lithuania ruled on a case where a person falsified a passport. The defendant was convicted for violation of paragraph 2 of Article 300 of the Criminal Code, which prohibits falsifying a passport, identity card, driving licence or state social insurance certificate, and was sanctioned with imprisonment. Reporting Mechanisms To facilitate the reporting of IT security incidents (including, but not limited to, system intrusion, phishing, spam, spyware etc.), a general reporting website (www.cert.lt) was established by CERT-LT in Lithuania. CERT-LT is the Lithuanian National Computer Emergency Response Team whose task is to promote security in the information society by preventing, observing, and solving information security incidents and disseminating information on threats to information security. CERT-LT activities are managed by the Lithuanian Communications Regulatory Authority. CERT-LT publishes annually and quarterly statistical reports on the status and developments of online-related crimes and security treats in Lithuania. CERT-LT website provides users with general information regarding online incidents and the ways to combat them. The website of CERT-LT acts as a single contact point, through which IT security incidents can be reported by filling the online form either in Lithuanian or English language. By submitting the report it is required to provide the email address and the description of the IT incident. It should be noted that the CERT-LT website is primarily aimed to allow citizens to report information security incident or threats that they have observed but of which they were not the victims. Victims of such incidents, if any damages were suffered, are recommended to contact directly the local police office or the Lithuanian Cyberpolice (http://www.cyberpolice.lt). 64 RAND Europe & time-lex Chapter 7 Country Summaries Concluding Comments It appears that the legal framework for combating identity theft incidents in Lithuania is sufficiently comprehensive to cover identity theft incidents described in this report. Furthermore, the establishment of a single contact point for reporting IT security incidents (the aforementioned CERT-LT website) should be considered as a positive development in combating IT security threats. However, CERT-LT does not investigate the Internet crimes associated with identity theft. Victims of identity theft are still required to go through official channels (ie, registering a complaint with the local police office or Cyberpolice). This process is still not transparent enough to victims. The follow-up of such complaints can be rather slow. It should be also noted that there is not enough public available information about Internet-based crimes, especially in case of identity theft. 7.22 Luxembourg No legislation has been introduced in Luxembourg that focuses explicitly on identity theft as a specific crime, or that defines such a crime. In practice, identity theft incidents are combated using the general provisions below (in relation to personal data protection, fraud, etc.). No such legislation is currently under consideration to our knowledge. Other laws that may apply to ID theft incidents • • • • Criminal Code (Article 231 of the Criminal Code) Law on the protection of individuals with regard to the processing of personal data Law of 11 August 1982 on privacy Law of 30 May 2005 on specific provisions for the protection of persons with regard to the processing of personal data in the electronic communications sector Application of law in practice Although very little identity theft case law exists/is available in Luxembourg, it seems that most identity theft incidents should be covered under present legislation. For example, using falsified identity documents would likely constitute: a violation of data protection laws; forgery related to identity documents; illegal access to information systems and illegal data interference. Reporting Mechanisms There is neither a specific website dedicated to reporting of identity thefts in Luxembourg nor any other specific off-line reporting mechanism. The victims of identity theft are required to go through official channels. In this respect, they have the three following options: They can file a criminal complaint at the offices of the Luxembourg Police Force; victims can either file a criminal complaint with the Public Prosecutor (‘Procureur d’Etat’) or the competent Examining Magistrate (‘juge d’instruction’); or finally, victims of identity thefts may also introduce a civil action before Luxembourg criminal or civil courts, provided that they know the identity of the defendant. In addition, it is worth mentioning the works undertaken by CASES (www.cases.lu), which is a service of the Luxembourg Ministry of Economy and Foreign Trade. This service aims at increasing awareness of the risks relating to computer systems and information networks among administrations, companies and citizens. 65 RAND Europe & time-lex Chapter 7 Country Summaries Concluding Comments Globally, it seems that the legal framework for combating identity theft incidents in Luxembourg is sufficiently comprehensive. The highly comprehensive information broadcasted by CASES in relation to cybercrime and identity thefts can also be considered a positive development. However, there is no single point of contact, online or off-line, dedicated to reporting identity theft. Victims of identity theft are required to go through official channels (ie, especially registering a complaint with local police offices). This process is still relatively non-transparent to victims, and follow-up to such complaints can be slow, depending on the availability of resources of the investigating magistrates. identity theft does not appear to take a high priority in investigations, except in cases of clear and significant harm to the victim. 7.23 Malta To date there is no legislation in Malta that explicitly regulates ‘identity theft’ as a specific sui generis offence or contravention, or for that matter, which provides any express definition or sanctions for such a specific crime. Therefore, at present, in the event that an incident of identity theft occurs, legal action may be pursued under Maltese law only if the incident may be deemed to constitute or form part of another offence at law (or if it is deemed to be ‘preparatory works’ of such other offence or for instance, ‘conspiracy’ to commit such other offence). Other Laws that may apply to ID theft incidents • • • • • • Criminal Code (eg, Chapter 9, Article 308) The Maltese Constitution The Data Protection Act The Electronic Communications (Personal Data And Protection of Privacy) Regulations The Electronic Commerce Act The Identity Cards Act Application of law in practice There are a number of examples of prosecutions for identity theft in Malta. For example there are several judgements relating to fraud by persons using the credentials of another person. Also there are judgements relating to the use of falsified documents to unlawfully apply for social benefits. Reporting Mechanisms In Malta there is no website reporting mechanism exclusively focused on identity theft. However the general reporting site www.polizija.gov.mt would cover the reporting of such incidents. This website is an e-government initiative focusing primarily on the reporting by any person whatsoever of any criminal acts and on the provision of information to the police about ongoing criminal activity or suspected criminal activity. The portal is managed by the Malta Police Force. The scope of the portal is not focused purely on identity theft incidents but is rather a tool which applies to all types of crimes including offences which, as discussed above, could also constitute or include elements of identity theft and which are not necessarily Internet-related crimes. 66 RAND Europe & time-lex Chapter 7 Country Summaries Concluding Comments Generally, the Maltese legislative framework is broad enough to permit incidents of identity theft to be prosecuted in Malta as the Malta Police Force Cyber Crime Unit (and possibly the Office of the Data Protection Commissioner) will normally prosecute such a crime under another specific offence in terms of law. Indeed, the practical and technical difficulties to follow up and investigate such incidents, to collect evidence and to take action in such cases are several and undoubtedly the cross-border nature of such crimes remains one of the major obstacles related to their successful prosecution. On a separate note, increased efforts are required to educate Maltese Internet users (especially consumers and children) of the possible dangers which may exist online with respect to Identity Theft. At present there appears to be no online tool which serves to provide clear, userfriendly information to such Internet users and thus the execution of an ongoing online campaign is recommended. 7.24 The Netherlands No legislation has been introduced in the Netherlands that focuses explicitly on identity theft as a specific crime, or that defines such a crime. In practice, identity theft incidents are combated using the general provisions below (in relation to personal data protection, fraud, forgery, hacking etc.). No such legislation is currently under consideration to our knowledge. Other laws that may apply to ID theft incidents • • • Criminal Code (eg, Article 255) Law of 6 July 2000 protecting personal data Law of 19 October 1998 on telecommunication Application of law in practice There are some notable examples of case law related to identity theft in the Netherlands. For example, in respect to phishing, the case of the Amsterdam Court of 28 May 2003 regarding a Nigerian scam where people were tricked by email. The suspect was convicted for money laundering, involvement in a criminal organization, fraud, forgery and possession of forged travel documents to a fine of 411.440 EUR and 4 years and six months of imprisonment. Reporting Mechanisms CMI, the Central Reporting and Information Point for Identity fraud and Identity errors (Centraal Melden Informatiepunt Identiteitsfraude en –fouten http://www.overheid.nl/identiteitsfraude) is an initiative of the Dutch government. The purpose is to assist and advise citizens confronted with identity fraud or mistakes in the registration of personal data. The website provides information in regard to prevention of abuse, warning signs that can indicate abuse and an extensive FAQ-list. Inquiries can be made via a contact sheet that will be answered by email. Once a victim becomes aware or suspects identity fraud CMI will advise on appropriate actions to undertake, and will provide follow-up information to the victim. Apart from CMI, several other sites play a mainly informative role with respect to identity theft, including notably GOVCERT.NL (http://www.govcert.nl/). 67 RAND Europe & time-lex Chapter 7 Country Summaries Concluding Comments Globally, it seems that the legal framework for combating identity theft incidents in the Netherlands is sufficiently comprehensive, as there do not appear to be any examples of identity theft incidents which are not covered under present legislation. The establishment of a reporting site for identity theft (the aforementioned CMI portal) can be considered a positive development. Also, starting April 2010 the Netherlands have organized a Knowledge centre Cybercrime (‘Kenniscentrum Cybercrime’ ). This centre will record all case law regarding cybercrime and will supply the judges and clerks with practical and judicial information on cybercrime. Crucial challenges include facilitating and streamlining collaboration with the private sector (where much of the identity theft incidents originate), and improving policy attention to the correction of errors introduced into official identity databases as a result of identity theft. 7.25 Poland No Polish legislation focuses explicitly on the identity theft as a specific punishable act, nor does it define the deed as such. The identity theft is therefore combated with general provisions listed below (as a data protection infringement, fraud, etc.). No legislation in the area is currently under consideration either. Other laws that may apply to ID theft incidents • • • Criminal Code (Article 286 Section 1) Act of August 29, 1997 on the Protection of Personal Data Telecommunications Law 16 July 2004 Application of law in practice There are several examples regarding the claiming of a false identity online, in which the Data Protection Ombudsman has directed victims towards law enforcement agencies, after which the Ombudsman lost track of the cases and the outcomes were unfortunately not reported to the wider audience. Reporting Mechanisms No specific online identity theft reporting mechanisms exist in Poland. Instances of identity theft may be reported to the police (no online applications facilitating this process are available) or the Data Protection Ombudsman. In the latter case a victim may file a complaint electronically (at http://www.giodo.gov.pl/432/id_art/2096/), yet to do this effectively the complaint must be signed with a secure electronic signature (roughly equivalent to an advanced electronic signature) verified with a qualified certificate. In the case of damage done to a financial account, identity thefts are reported to the financial institutions, predominantly by phone. Cooperation between those institutions and law enforcement agencies is determined by each of those institutions separately. Concluding Comments It is hard to assess the scope and scale of identity theft in Poland, as no relevant statistics have been made available; in all likelihood, no such statistics have been collected. According to the assessment of the Data Protection Ombudsman, victims most often refer to law enforcement agencies directly, without involving the data protection agency. Those cases are hardly ever publicized. 68 RAND Europe & time-lex Chapter 7 Country Summaries Even though, therefore, the picture is very incomplete and instances of identity theft are not exceptional, in most of the cases they have not seemed to involve significant damage to their victims. There are several possible justifications contributing to this situation. First, the multifaceted legal framework provides for a comprehensive legal protection, both preventive (data protection legislation) and repressive (data protection and criminal legislation). Second, the demanding standard of data protection law, combined with the efforts of the Data Protection Ombudsman to control personal data processing systems make leakages of personal data from computer systems relatively uneasy. Third, the damage done as a consequence of an identity theft is also alleviated by the proliferation of protection tools implemented by potential co-victims of the most serious identity theftrelated misdeeds, ie, financial institutions. Finally, data subjects generally handle their personal information more carefully (especially login details to financial assets) when carelessness may cause serious damage to their interests. 7.26 Portugal Portugal has a long tradition in the enactment of computer crime protection. In fact, Portugal has had since 1991 a legal framework to be applied to computer criminal actions (Computer Crime Law – this act followed the minimal list of the Recommendation (89)9 of the European Council). In 1998, it has been set out a new computer crime: computerrelated fraud (as the scope of the protection is mainly the property, the Portuguese legislator considered that this crime should be included in the Penal Code and not in the Law 109/91). Recently, the Cybercrime Law (Law no. 109/2009) revoked the 1991 legal framework and has transposed the Council Framework Decision 2005/222/JHA of 24 February 2005 on attacks against information systems. This act introduced a specific rule in order to condemn and punish some identity theft incidents. Also, this act includes the specific criminalisation of traditional criminal acts produced by electronic means and thus, being a special law, it leads to the non-application of general rules of the Penal Code. Other laws that may apply to ID theft incidents • • • Criminal Code (Article 217) Cybercrime Law Data Protection Law Application of the law in practice Several cases of unlawful use of another person’s credentials have been decided, namely in relation to computer fraud (an emblematic decision of the Supreme Court was issued in 2000). The Supreme Court has also ruled on a number of cases involving falsified identity documents (not in relation with electronic documents), and in general these decisions were combined with the sentence for fraud. Reporting Mechanism No specific platforms for identity theft reporting have been issued. However, it can be said that, in general, such practices are reported to the Polícia Judiciária (this police authority has defined and autonomous police department acting on the area of high-technology, including computer-related crimes). Furthermore, CERT.PT has been promoting the creation of a national network of CSIRTs and other security points of contact by 69 RAND Europe & time-lex Chapter 7 Country Summaries concluding formal agreements with relevant stakeholders. In this context, CERT.PT has formal agreements with major national ISPs and criminal investigation authority (Polícia Judiciária) and it is also a primary point of contact. Finally, ANACOM (Telecoms regulatory authority) and ‘Comissão Nacional de Protecção de Dados’ (Data Protection Authority) are also entities receiving requests from the public, but their role in case of criminal issues is to send these cases to the Ministério Público (Public Prosecutor) or to Polícia Judicária. Concluding Comments Globally, it seems that the legal framework for combating identity theft incidents in Portugal is sufficiently comprehensive, as no examples of identity theft incidents, which are not covered under present legislation, appeared in reality. Furthermore, the revision of the 1991 Computer Crime Law by the 2009 Cybercrime Law allowed to more concretely penalise some actions within the sphere of identity thefts, namely by a wider wording of article 3 (Computer-Related Forgery). On the enforcement side, the launch of centralised systems allowing a clear and swift mechanism of complaints is still lacking. 7.27 Romania The Romanian legislation does not provide for an incrimination per se of the identity theft. The current legislation does not explicitly focus on identity theft as a specific crime, and does not provide a definition thereof. However, identity theft incidents are covered in practice by the provisions of the legislation mentioned below (regarding personal data protection legislation, fraud, forgery and computer-related crimes). To our knowledge, no specific legislation regarding identity theft is currently under consideration. Other laws that may apply to ID theft incidents • • • • Romanian Criminal Code of 1997 (Article 215) Title III on Preventing and Fighting Cyber-Crime of Law no. 161 of 2003 Law no. 677 of November 21, 2001 for the Protection of Individuals with regard to the Processing of Personal Data and the Free Movement of Such Data Law no. 506 of 2004 on Data Processing and the Protection of the Private Life within Electronic Communication Sector as amended in 2009 Application of law in practice There are several examples in case law of identity theft-related incidents, For example, in a recent case, the perpetrators were convicted for breaking the accounts of several persons with E-bay accounts, posting false messages determining the victims to sent money for items which never existed. The perpetrators were sentenced to imprisonment for three and a half years for computer-related fraud, fraud, and illegal access to information systems. Reporting Mechanisms Through the website eFrauda.ro, complaints about Internet fraud and cyber crimes, and also about spam and spyware, are collected. The website provides for the applicable legislation and gives a few recommendations on how to deal with Internet crimes. The website was intended as a tool in order to promptly and directly communicate the complaints regarding Internet crimes, such as phishing, Internet fraud, to Romanian government agencies which investigate and take action against such crimes. The website 70 RAND Europe & time-lex Chapter 7 Country Summaries was launched in 2004, and was updated for a couple of years. Currently the website is not working. The victims of computer-related crimes, including identity theft, phishing, Internet fraud, etc. have to file criminal complaints with the local police. Other websites play an informative role, including http://www.cybercrime.ro/ and http://cert.org.ro/. Concluding Comments Although the identity theft is not expressly incriminated in the Romanian legislation, the current provisions cover almost all incidents regarding identity theft. One of the weaknesses of the current system is the inoperability of eFrauda, or of another website through which incidents regarding identity theft and other computer-related crimes can be reported directly to the authorities empowered to investigate and sanction such incidents. The establishment of a contact point for reporting Internet crimes would have a positive effect in the fight against such crimes. Such a reporting site is a necessity given that in most cases the victims of such crimes can be located all over the world, and filing an official complaint with the local police where the perpetrator is located may become difficult. Most of the incidents which are investigated and punished regard identity theft in the context of phishing, Internet fraud and cloning of credit cards. Incidents like claiming a false identity on-line are rarely reported and investigated. 7.28 Russian Federation The laws of the Russian Federation currently in force do not have any legal norms explicitly focused on identity theft as a certain type of crime, or containing a legal definition of such crime. In existing legal practice in the Russian Federation, identity theft cases are handled with the use of common legal norms applicable to actions listed below (with regard to personal data protection, forgery, fraud, etc.) To the extent of our knowledge, so far no draft laws of this nature were submitted for consideration to the State Duma of the Federal Assembly of the Russian Federation. Other laws applicable to identity theft incidents • • • • • Criminal Code of the Russian Federation (eg, Article 159) The Federal Law on information, information technologies and protection of information The Federal Law on personal data The Federal Law on communication Administrative Code of the Russian Federation Application of law in practice There are a number of examples in case law of incidents related to identity theft, particularly with regard to the use of false identity to commit fraud, digital identity theft, use of spyware that causes unauthorised copying of users’ data, and the sale by third parties of personal databases. Reporting Mechanisms The mechanisms for solving hi-tech crimes, identity-related crimes and identity theft crimes in particular are the same as those applied for all the other crimes. The Russian Ministry of Internal Affairs (MIA) incorporates a ‘K’ Department and its regional departments in the Ministries of constituents. Among other things, this department deals 71 RAND Europe & time-lex Chapter 7 Country Summaries with computer data crimes and illegal acts in the Internet, as well as other informationtelecommunication networks (including digital identity theft).A general law-enforcement portal, www.112.ru, was created to simplify the process of submitting a statement on a crime or violation. The portal serves as a point of contact for reporting any crimes using standardised user-friendly forms. It should be noted that this is a general purpose portal, and does not focus on identity-related crime in particular. Concluding Comments On the whole, we could say that the Russian legislation related to counteracting identity theft is quite comprehensive, since there have not been any cases of identity theft not covered by the existing legislation. However, law enforcement in Russia also has several shortcomings. For example, in order to submit a claim about a crime or violation to the regional MIA, the claimant needs to make certain effort and overcome a number of obstacles of bureaucratic nature, which also takes time. This is why if the damage is insignificant, not every injured party will proceed with the claims. The Russian Federation lacks a unified portal (website) or unified system of interactive points of contact with a user-friendly interface that would ensure quick submission, registration and follow-up of statements on crimes and violations in the areas of computer data, information systems, communications, Internet and other networks, including identity theft. 7.29 Slovakia No legislation has been introduced in Slovakia that focuses explicitly on identity theft as a specific crime, or that defines such a crime. In practice, identity theft incidents are combated using the general provisions below (in relation to personal data protection, fraud, etc.). No such legislation is currently under consideration to our knowledge. Instead, the policy emphasis in Slovakia is more on improving awareness of identity theft risks with potential victims and law enforcement bodies. Other laws that may apply to ID theft incidents • • • • Criminal Code (Article 221) Articles 247 para 2, Article 196 para 1b or 1c and Article 376 and partially Article 264 of Criminal Code Act of 3 July 2002 no. 428/2002 Coll. on Protection of Personal Data as amended Law of 3 December 2003 No. 610/2003 Coll. on electronic communications as amended Application of relevant laws in practice There are several instance of case law application. For example, specifically in relation to using a third party’s stolen credit card. In April 2005 the perpetrator established an email account on AZET in the name of his ex-girl friend. Through this email account he sent a large-scale messages to her colleagues containing untrue, discommended and traduced information about victim. Apart from the root of case (action of perpetrator was qualified as vilification) there were interesting findings related to this case arised from the investigation. Offender was criminally sanctioned with fine 20.000 SKK and the victim received 120.000 for the damages in a civil proceedings. There were other examples of case law that were applied to various kinds of identity theft incidents. 72 RAND Europe & time-lex Chapter 7 Country Summaries Reporting Mechanisms No websites, hotlines or portals dedicated exclusively to identity theft neither exist nor are planned. Also there is no website focusing on cybercrime, identity theft or fraud in general in Slovakia. Concluding Comments Globally, it seems that the legal framework for combating identity theft incidents in Slovakia is sufficiently comprehensive, as there do not appear to be any examples of identity theft incidents which are not covered under present legislation. Therefore the actual problem in combating identity theft and cyber crime in general is not in a substantive law but in procedural criminal law in Slovakia. The first specific procedural problem is concerning the electronic evidence and by the fact that this kind of evidence is often located in computers located abroad. This creates on the one hand certain difficulties when determining which court has jurisdiction and on the other hand the nature and location of electronic evidence requires the highest possible degree of international cooperation. Other procedural problem is very difficult way how to obtain electronic evidence and if it is already there is no provision on how electronic evidence must be considered and evaluated by the court and therefore the judges apply the same rules that they use for any other type of evidence. Further procedural problem is that the long lasting traditional investigation instruments will very hardly lead to successful investigation of cyber crime incidents. Further problem why the cyber crime and ID theft is not combating effective is very low technical knowledge of judges, prosecutors and lawyers to understand technical questions. Lawyers are also not able to understand very complicated language used in the expert´s reports. Therefore training and education on electronic evidence and combating cyber crime is thus essential to keep independent the judicial decision. There are of course many other procedural problems related to electronic evidence which arise from very specific nature of electronic evidence. 7.30 Slovenia In 2008, the new Criminal of the Republic of the Republic of Slovenia (in Slovene: Kazenski zakonik, Official Gazette No. 55/08, 66/08, 39/09, 55/09, http://zakonodaja.gov.si/rpsi/r00/predpis_ZAKO5050.html, hereinafter KZ-1) was adopted that explicitly defines identity theft as a criminal act, in its Article 143 §4, when ‘someone assumes the identity of another person and under its name exploits his rights, gains property benefits or damages their personal dignity’. Violation of this provision can be criminally sanctioned with imprisonment between three months and three years and, if committed by an official through the abuse of office or official authority, even up to five years (Art. 143, §4 and §5). Other laws that may apply to ID theft incidents • • • Criminal Code (Kazenski zakonik) , hereinafter KZ-1 (eg, Article 211) Personal data protection Act (Zakon o varstvu osebnih podatkov), hereinafter ZVOP-1 Electronic Communications Act (Zakon o elektronskih komunikacijah), hereinafter ZEKom 73 RAND Europe & time-lex • Chapter 7 Country Summaries Identity Card Act (Zakon o osebni izkaznici), hereinafter ZOIzk and Passports of the Citizens of the Republic of Slovenia Act (Zakon o potnih listinah), hereinafter ZPLD-1 Application of relevant laws in practice There are several instance of case law application. For example, The Information Commissioner investigated a case of illegal transmission of personal data between two insurance companies. Personal data of 2300 individuals was sent from one insurance company to another, and used by the latter for direct marketing. Sending of data by the first insurance company and use of these data by the second was performed without the necessary legal ground. The first insurance company was fined 112.000 EUR and its responsible person 20.000 EUR, whereas the second company was fined 108.000 EUR and its responsible person 20.000 EUR, both for violation of the Personal Data Protection Act. One of the companies appealed to the court, whereas the second one paid the fines without appealing. There are other examples of the application of the law that relate to ID theft incidents. Reporting Mechanisms There is no special reporting mechanism to the police dedicated exclusively to identity theft or cybercrime. People can use the main general reporting mechanisms. Whenever citizens require police assistance, they can call the 113 emergency number. Emergency calls are received and recorded by the deputy shift manager of the operation and communication centre at the regional police directorate. To increase police cooperation with citizens, and thus also the effectiveness of such cooperation, the Operation and Communication Centre introduced a toll-free anonymous telephone number. There is also the e-government portal, where a report of the incident can be submitted to the Ministry of Interior. Also, if an individual believes his right to personal data protection has been breached, or that his data was not processed lawfully, he/she may request the Information Commissioner's opinion on the matter. Concluding Comments In Slovenia in general it seems that the legal framework for combating identity theft is sufficiently covered to deal with identity crimes. The main responsibility remains at the user side and the service provider side to take all possible measures to prevent such crime. Raising awareness on both sides should be the focus of the relevant institutions at the national as well as at the EU level. There are number of initiatives at the national level addressing information security issues, targeting different groups of users (for example, educating children). Moreover, in Slovenia, identity theft victims can report the incident through different channels and institutions easily, as described above. However, in comparison to some other countries, general reporting sites (following one stop shops or portal models) with the Police and other relevant institutions are still missing. 7.31 Spain Incidents related to identity theft are combated using the general provisions mentioned below (in relation to personal data protection, fraud, forgery, etc.) together with more specific provisions included in the Criminal Code. Furthermore, the Parliament is now debating the reform of several articles of the Criminal Code, some of them including and 74 RAND Europe & time-lex Chapter 7 Country Summaries enlarging specific references to unlawful activities related to access violating security measures, unlawful use of information systems and graduation of the damage/harm that has been caused. The bill currently under discussion was presented on November 2009 and at the moment of drafting this report it was in the amendments term at the ‘Congreso de los Diputados’ (Lower House), before being transferred to the Senate (Upper House). Other laws that may apply to ID theft incidents • • • • Criminal Code (eg, Article 399bis) Organic Law 15/1999, of 13 December 1999, of personal data protection; General Telecommunications Law 32/2003 of 3 November; Organic Law 1/1982 of 5 May, of Civil protection of the rights to honour, personal intimacy and own image; Application of relevant laws in practice Please note that in Spain, when an incident may be considered as a criminal offence, it is not (or no longer) seen also under the perspective of an administrative infringement (eg, violation of the data protection law is not considered as an administrative infringement when criminal law also applies). Besides, an incident where several offences are committed is only condemned for the most important one. There are several examples of case law application. Reporting Mechanisms In Spain, there are two national security forces involved in the investigation and fight against identity crimes: the Civil Guard (Guardia Civil), with competences in villages of less than 20.000 inhabitants, and the National Police (Cuerpo Nacional de Policía), with competences in villages with more than 50.000 inhabitants or where there is a high level of conflicts. In addition, there are some regional police bodies, especially in Catalonia and Basque Country, with competences in cases where the offence takes place in those regions or fall within the competences of the national police forces. All of them give recommendations on how to prevent potential security risks and how to behave while getting in contact with other people through the Internet. Concluding Comments In Spain ID theft is not considered as an offence itself (with the notable exception of the crime of the person who usurps the civil status of somebody else), but rather as a means to commit a civil or criminal (or administrative) offence, on-line or off-line. In general, the unlawful use of someone else’s identity is prosecuted when the events seek to get an economic benefit, to cause an economic damage to the victim or someone else or to cause a personal harm to the victim. The qualification and condemnation applied depends on the result finally obtained or the means employed to get those results (fraud, forgery...); incidents are mainly prosecuted under personal secrets disclosure, computer-related fraud, offences against intimacy or moral integrity. 7.32 Sweden Sweden has not introduced any legislation that focuses explicitly on identity theft as a specific crime, or that defines such a crime. In practice, identity theft incidents are combated using the general provisions below (in relation to personal data protection, 75 RAND Europe & time-lex Chapter 7 Country Summaries fraud, etc.). No such legislation is currently under consideration to our knowledge, though the risks have been emphasised by various Swedish authorities, including the Swedish Data Inspection Board (Datainspektionen) and the Swedish Post and Telecom Agency (PTS). Other laws that may apply to ID theft incidents • • • Penal Code (Brottsbalk (1962:700)) (eg, Chapter 9 Section 2) Personal Data Act (Personuppgiftslagen (1998:204)) Electronic Communications Act (Lag (2003:389) Application of relevant laws in practice There have been several examples that demonstrated the application of relevant case law. In 2008, the district court in Växjö decided in a case, in which somebody accessed a social networking site with another person’s login credentials and altered information on that person’s profile in a derogatory way. The perpetrator was convicted for illegal access and sentenced to a fine and compensation for damages. In another case, a Swedish Appellate Court decided in 2002 that the use of someone else’s username and password for Internet access constituted computer-related fraud. In another, more recent, case from the district court in Göteborg in 2008, a person ordered goods online by using false names and email addresses. He was convicted for compensation for damages as well as imprisonment for 2 months. Reporting Mechanisms There are no official specific reporting or follow-up mechanisms in Sweden with regard to incidents of identity theft. Though the police, as the common first contact point, provide general information about Internet security and potential crimes related to that, there are no particular initiatives regarding identity theft. The Swedish Post and Telecom Agency (PTS)75, as the supervisory authority with regards to electronic communications, has taken a leading role with regard to Internet security and the general awareness of risks in an electronic environment. In addition, the Swedish Data Inspection Board (Datainspektionen)76 ensures the compliance with data protection legislation in Sweden by monitoring lawful processing by organisations and companies and informing the general public about privacy rights. The Swedish Consumer Agency (Konsumentverket)77 is also involved in increasing the general public’s knowledge on Internet security and risks in ecommerce and online behaviour. Concluding Comments Although Swedish law does not explicitly contain provisions on identity theft, the legal framework seems to cover all possible situations of these incidents. identity theft often involves other criminal behaviour and will therefore be covered by traditional rules on data processing, fraud, forgery, or illegal access to information systems. This encompasses, however, using the traditional channels of the police. The Swedish police offer online reporting for crimes, but these only include theft of vehicles or other property.78 In general, 75 http://www.pts.se 76 http://www.datainspektionen.se/ 77 http://www.konsumentverket.se/ 78 http://www.polisen.se/sv/Utsatt-for-brott/Gor-en-anmalan/Anmalan-via-Internet/ 76 RAND Europe & time-lex Chapter 7 Country Summaries several public authorities are involved in initiatives on Internet security, which include issues of identity theft to a varying extent. Although identity theft incidents have been considered an increasing problem in the media, no specific campaigns have been launched to support individuals with specific information in this regard. 7.33 United Kingdom No legislation has been introduced in the UK that focuses explicitly on identity theft as a specific crime, or that defines such a crime in those terms. In practice, identity theft incidents are combated using the general provisions. There is much scope for ambiguity in what different people mean by the term ‘identity theft’. The UK has helpfully sought to separate out the terms identity crime, identity theft and identity fraud (http://www.identitytheft.org.uk/identity-crime-definitions.asp). Other laws that may apply to ID theft incidents • • • • • • Computer Misuse Act 1990 (as amended by the Police and Justice Act 2006) Computer Misuse Act 1990 The Data Protection Act 1998 Regulation of Investigatory Powers Act 2000 Fraud Act 2006 Identity Cards Act 2006 Application of relevant laws in practice In most cases, claiming a false identity on-line, unlawfully using another person’s credentials, phishing, using spyware to obtain identity information, trafficking in unlawfully obtained information is considered illegal and one of the appropriate acts applies if there is a violation of the data protection act, since the personal information would be unlawfully processed; violation of communication secrecy laws, if the personal information contained date related to electronic communication (like email addressed, IP addressed, etc.) as well as other specific requires listed in the individual acts apply. No known case laws were identified. Reporting Mechanisms To facilitate the reporting and effective follow-up of any fraud (including electronic identity theft), a general reporting site called Action Fraud was established (http://www.actionfraud.org.uk/). The site acts as a single contact point, through which any offline or Internet-based crime incidents (eg, phishing) can be reported using standardised forms, with interfaces currently being available only in English. The questions that potential crime-reporters are asked prioritise for investigation frauds in progress, by asking if the subject of the report is ‘actually happening now, or are you or someone else at risk of immediate harm?’ Others are collated for intelligence picture purposes and may be investigated later if resources allow and successful prosecution looks likely. Questions are asked about the Fraud Type; the Victim; the Suspect; Money; Fraud Details; and Fraud Impact and Support. It is also possible to report a fraud using telephone. Concluding Comments Globally, it seems that the legal framework for combating identity theft incidents in the UK is sufficiently comprehensive, as there do not appear to be any examples of identity 77 RAND Europe & time-lex Chapter 7 Country Summaries theft incidents which are not covered under present legislation. The establishment of a contact point for reporting Internet and offline frauds (the aforementioned Action Fraud portal) is a positive development. None the less, there are also a few weaknesses. First, public resources in investigating identity-related crimes remain modest, even though the inclusion of some such offences within the British Crime Survey and UK police focus on victims’ perceptions of harm and fear gives such offences a higher profile than in the past. Secondly, the investigation of incidents remains complicated in practice, especially in cross border cases. Even when clear evidence of an identity theft incident can be found (eg, a fake profile on a social networking website through which false information is being spread), it can often prove difficult to convince the website operators to take the offending information off-line, and even harder to obtain information from the operator that would make it possible for police to investigate the crime further (eg, IP addresses or mail addresses used by the offender). 7.34 United States In 1998 Congress passed the Identity Theft and Assumption Deterrence Act,79 which amended the United States Code (18 U.S.C. § 1028(a)(7)) to make it unlawful for anyone to ‘knowingly transfer or use, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of federal law, or that constitutes a felony under any applicable State or local law.’ With this act the US has provided an explicit definition of identity theft. However, not only the federal legislators but also state legislators have passed specific laws explicitly criminalizing identity theft. Other laws that may apply to ID theft incidents • • • • • • Title 18 U.S.C (eg, Section 1028 – Articles 1-7) Electronics Communication Privacy Act (ECPA) Federal Trade Commission (FTC) Act Gramm-Leach-Bliley (GLB) Act Fair Credit Reporting Act (FCRA) Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM) Application of relevant laws in practice There are examples in case law of prosecutions of identity theft offences. For examples, in case of phishing, United States v. Goodin, U.S. District Court, Central District of California, 06-110: Jeffrey Brett Goodin violated federal law by sending Internet Service Provider America Online users thousands of unsolicited emails that falsely purported to be from the AOL Billing Department. With these messages Mr Goodin prompted the receivers to update their personal and credit or debit card information. These spam emails were sent from fraudulently created email accounts and contained weblinks to false AOL webpages, which in turn contained computer code directing the provided information to 79 U.S. Congress’ Identity Theft and Assumption Deterrence Act of 1998 (Public law 105-318, 112 Stat. 3007-3012). 78 RAND Europe & time-lex Chapter 7 Country Summaries email accounts controlled by Goodin. He then used the information to make unauthorized purchases, On June 11, 2007, petitioner Jeffrey Goodin was sentenced to a total of 70 months of imprisonment. The judgment was affirmed by the Ninth Circuit on December 17, 2008. Reporting Mechanisms There are several reporting tools available in the US. The most important and central one however is the FTC’s ID Theft Complaint Form, that can be filled out online (at www.ftccomplaintassistant.gov/) or by phone, using the toll-free Identity Theft Hotline. This tool covers both online and offline identity theft, and victims can choose between filling it out anonymously (however, losing out on some of the benefits described below), or under their name. The advantages of filing a complaint with the FTC are in general that the information is shared with the FTC attorneys and investigators, and is entered into the electronic database, which provides information for the FTC’s reporting on identity theft, and can be searched by law enforcement agents for their criminal investigations. Concluding Comments The legal framework for combating identity theft in the US seems in general sufficiently comprehensive, and there appears to be no major legislative gap with respect to the examples of identity theft incidents. Nevertheless, there is not one comprehensive law governing privacy and data protection in the US. Rather a set of provisions apply to specific aspects of it. The awareness about the importance of the issue seems high as illustrated by the introduction of a separate criminal offence and legal definition by the Identity Theft and Assumption Deterrence Act, the establishment of the President’s Identity Theft Task Force to provide strategic guidance and recommendations on the issue, and the wide range of both governmental and non-governmental websites that provide information on identity theft. A comprehensive ‘one-stop-shop’ reporting mechanism is, however, still missing, although the FTC’s webpage plays a key role in this respect. 79 CHAPTER 8 Analysis The legal perspective: a comparative overview of legislation 8.1 8.1.1 Legislation focusing explicitly on identity theft One of the first questions examined in the national profiles was whether specific legislation criminalising identity theft as such or introducing any such concept existed. The majority of the countries covered did not yet have such legislation; in other words, in most of the countries there is no crime of identity theft as such. Instead, these incidents are punished, depending on the circumstances, by other provisions addressing, for example, privacy law, fraud, forgery, etc. In a smaller number of jurisdictions, however, there are specific crimes aimed at punishing perpetrators of identity theft. In some of these countries identity theft is only defined as a separate crime when the relevant actions result in other offences, while in others identity theft is completely autonomous in the sense that no other illegal acts are required for it to be punishable. As was already noted above, in Canada, Canada the Criminal Code (as amended by the Bill S-480, which entered into force on 8 January 2010) covers identity-related crimes. In particular, under Section 402 it criminalizes the actions of anyone who: • Knowingly obtains or possesses another person’s identity information in circumstances giving rise to a reasonable inference that the information is intended to be used to commit an indictable offence that includes fraud, deceit or falsehood as an element of the offence. • Transmits, makes available, distributes, sells or offers for sale another person’s identity information, or has it in their possession for any of those purposes, knowing that or being reckless as to whether the information will be used to commit an indictable offence that includes fraud, deceit or falsehood as an element of the offence. The notion of ‘indictable offence’ in this law refers to any of the following: forgery of or uttering a forged passport; fraudulent use of a certificate of citizenship; personating a peace 80 S-4 An Act to amend the Criminal Code (identity theft and related misconduct), 40th Parliament – 2nd Session (Jan. 26 2009 – Dec. 30 2009). As of 26 January 2011: http://www2.parl.gc.ca/Sites/LOP/LEGISINFO/index.asp?Language=E&Session=22&query=5778&List=toc 80 RAND Europe & time-lex Chapter 8 Analysis of country summaries and recommendations officer; perjury; theft, forgery, etc., of a credit card; false pretence or false statement; forgery; use, trafficking or possession of a forged document; fraud; and identity fraud. ‘Identity information’ is defined as information ‘commonly used alone or in combination with other information to identify or purport to identify an individual.’ Examples of such information include: name; address; date of birth; written; electronic or digital signature; Social Insurance Number; health insurance or driver’s license number; credit or debit card number; number of an account at a financial institution; passport number; username or password; fingerprint or voice print; retina or iris image; and DNA profiles. This is an offence for which the Criminal Code foresees two alternative sanctions: prosecution as a) an indictable offence with imprisonment of no more than 5 years, or b) a summary conviction punishable by a fine of no more than $5000 or six months of imprisonment, or both. Additionally, the Code under subsection 738(1)(d) enables the court to order the offender – as part of the sentence – to pay restitution (covering expenses incurred to re-establish identity, including the replacement of identity documents and the correction of credit histories and credit ratings) to a victim. In Canada, therefore, identity theft may be prosecuted as a crime if it is linked to another illicit behavior. The Canadian approach can thus be considered an example of a system where identity theft is treated as a preparatory act for the commission of other crimes (such as fraud, etc). France is another interesting example of a country where identity theft has been defined as a specific crime. The French Criminal Code contains a specific provision for identity theft (Article 434-23), allowing it to be qualified as crime if two conditions are met: (1) The thief has to assume the name of another person. However, the use of a false name that does not correspond to an existing natural person is not covered by this article.81 (2) The identity theft should lead or might have led to the initiation of criminal conduct against the victim. This is, for instance, the case if the identity theft prevents the victim from obtaining a French passport to which he is entitled.82 The wording of this article therefore eliminates from its scope of application a number of cases where identity theft does not trigger any legal or economic consequence for the victim. Such acts may, however, still be prosecutable under other qualifications such as libel or misappropriation of correspondence. Secondary conducts which do not constitute by themselves a crime will remain unpunished. This is, for example, the case when emails are used fraudulently by third parties to suggest affiliation of the victim to a political party, etc. (presuming, of course, that this suggestion could not be qualified as defaming). In order to address this potential legal vacuum, the creation of a new crime that would punish identity theft in electronic communications is currently being discussed by the 81 Cour de Cassation, Chambre criminelle, 10 March 2010, N° 09-81.948, not published 82 Cour de Cassation, Chambre criminelle, 26 May 2009, N° 08-87.752, not published 81 RAND Europe & time-lex Chapter 8 Analysis of country summaries and recommendations French Parliament. If approved, the act (known as LOPPSI 283) would introduce a new article into the Criminal Code. At the time of writing, the text has been approved by both Chambers in first reading. Article 2 of LOPPSI 2 would introduce a new article (222-16-1) to the Criminal Code, worded as follows (according to the version approved by the Parliament on 16 February 2010): The fact of using on a network of electronic communications, the identity of another person or data of any kind that allows his or her identification in order to disturb the peace of that person or another person is punishable by one year of imprisonment and a fine of €15,000. Shall be punished in similar terms the fact of making use, on an electronic communication network, of the identity of another person or data of any kind that allows his or her identification, in order to affect his/her honour or consideration. As currently worded, this new concept of identity theft would require two elements: • Material element: the use of a third party identity or of any other data allowing his or her identification on an electronic communication network. This includes the fraudulent use of emails but also fraudulent posting on blogs or social networking sites. The proposer of this new provision, MP Eric Ciotti, has clearly indicated that this article would be intended to punish instances of identity theft that would not trigger clear economic consequences for the victim, but which may have a less tangible impact, such as in the case of defamation. • Intentional element: this use of an identity or of specific data should aim at disturbing the peace of a third party or impinging on his or her honour or reputation. The new article foresees a one-year prison term and €15,000 fine as possible sanctions, which are increased when the identity theft is committed by a legal person: the amount of the fine is then raised to €75,000. Legal persons can moreover be dissolved (when the legal person has been created to perpetuate the crime), and a temporary or definitive prohibition to exercise, directly or indirectly, the social or professional activity in which the offence has been committed can be ordered, as well as a placement under judicial supervision or exclusion or suspension from public procurement (Article 139 of the Criminal Code). In India too, identity theft is defined as a separate crime, although only the fact of using somebody else’s identification features (such as a password or electronic signature) is punished and not, in more general terms, the fact of using the identity of another person in an online environment. According to Section 66C of The Information Technology Act 2000, as amended in 2009: Whoever fraudulently or dishonestly makes use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with 83 Loi d’orientation et de programmation pour la performance de la sécurité intérieure (LOPPSI 2); the preparatory works are available online at (as of 26 January 2011): http://www.assemblee-nationale.fr/13/dossiers/lopsi_performance.asp 82 RAND Europe & time-lex Chapter 8 Analysis of country summaries and recommendations imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to rupees one lakh (100,000 rupees). Coming back to Europe, in Slovenia a new Criminal Code was adopted in 2008 that explicitly defines identity theft as a criminal act in its Article 143 §4, when: Someone assumes the identity of another person and under its name exploits his rights, gains property benefits or damages their personal dignity. Violation of this provision can be criminally sanctioned with imprisonment between three months and three years and, if committed by an official through the abuse of office or official authority, even up to five years (Article 143 §4 and §5). In Italy, Italy the situation is comparable to that of Slovenia: while there is no specific provision dealing with identity theft, there is a generic crime of ‘substitution of person’ (Article 494 of the Criminal Code). This provision, which has been applied by the courts in cases that could be qualified as offline and online identity theft, says that: Whoever, in order to secure for himself or others an advantage or to cause damage to somebody, leads someone in error, replacing unlawfully his person with another’s person or giving to himself or others a false name or false state or a quality to which the law gives legal effect, is punished, if the fact is not another crime against the public faith, with imprisonment up to one year. In the United States, States according to the 1998 Identity Theft and Assumption Deterrence 84 Act, which amended the United States Code (18 U.S.C. § 1028(a)(7)), it is unlawful for anyone to: Knowingly transfer or use, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of federal law, or that constitutes a felony under any applicable State or local law. With this act the US has provided an explicit definition of identity theft. However, not only the federal legislators but also state legislators have passed specific laws explicitly criminalising identity theft. In California, for example, this is done by Section 530.5 of the Californian Penal Code, which sanctions amongst others: Every person who wilfully obtains personal identifying information […] of another person, and uses that information for any unlawful purpose, including to obtain, or attempt to obtain, credit, goods, services, real property, or medical information without the consent of that person.85 Potential sanctions include fines and/or imprisonment for up to one year in a county jail or in a state prison. 84 US Congress Identity Theft and Assumption Deterrence Act of 1998 (Public law 105-318, 112 Stat. 30073012) 85 See (as of 26 January 2011): http://www.leginfo.ca.gov/cgi-bin/displaycode?section=pen&group=00001-01000&file=528-539 83 RAND Europe & time-lex Chapter 8 Analysis of country summaries and recommendations According to collected country reports, identity theft is expected to be punishable as a crime in Hungary (from 1 January 2011) and Latvia. Latvia In Estonia, Estonia, ID theft is already a crime pursuant to the local Criminal Code. Inversely, in the Czech Republic, Republic the introduction of ID theft as a separate crime was considered during the preparation of a new Penal Code in 2009, but ultimately no such crime was included when the Penal Code was adopted. In summary, six countries (out of the thirty-three examined in this study, and including three EU Member States) have a specific provision in their legislation dealing with identity theft. This represents 18 percent of the jurisdictions covered by this study. In another two countries, ad hoc legislation will come into force in the near future. It is also worth noting that only two countries have adopted a specific provision dealing with identity theft in an online environment: Indian legislation has specific rules dealing with the misuse of somebody else’s identity in the cyberworld, and in France a similar provision has been approved by the Parliament and will likely enter into force in the near future. As will be more extensively shown below, these figures do not mean that in only 18 percent of the countries under analysis identity theft incidents can be prosecuted and punished – or, in other words, it does not necessarily indicate that there is a legal vacuum to be filled in 82 percent of EU countries – but rather that in the other jurisdictions different and more indirect classifications must be applied. Furthermore, the fact that a country has specific legislation dealing with and criminalising identity theft does not imply that these incidents are prosecuted and sentenced more effectively than in other jurisdictions. In fact, the definitions provided above show that there is no uniform understanding of identity theft in criminal law, with some definitions (eg, the Italian and Slovenian examples) bearing many of the characteristics of the general definitions of fraud, with the main unique aspect being that identity is explicitly mentioned as the modality being used to manipulate the victim. This is an indication that general provisions of criminal law may be effective as tools to combat identity theft if they are phrased sufficiently broadly. As a result, it is also debatable whether it is necessary or useful to define specific offences that apply to identity theft. If other crimes such as fraud, forgery, unlawful data protection or privacy violations, defamation, etc., would allow punishment to those who steal or misuse the identity of somebody else, then the definition of separate criminalisations is then not driven by the need to full a legal vacuum, but rather to define more specific rules that could be easier to apply in practice, or which could lead to more appropriate sanctions. However, not all of the definitions above fall into this category. The French example in particular shows that the new definition presently being considered in Parliament is in fact driven by a desire to fill a perceived regulatory vacuum, notably to cover cases of identity theft where there is no clear legal or economic harm for the victim and where no other effective criminalisation applies. The fact that other countries have not chosen to introduce similar separate criminal provisions can be seen as an indication that either such vacuums do not exist within all countries, or alternatively that the specific acts targeted by the French legislation are not considered sufficiently serious to warrant systematic criminal prosecution. 84 RAND Europe & time-lex Chapter 8 Analysis of country summaries and recommendations The French example referred to the false suggestion of a victim’s political affiliation in a falsified email. Other countries might consider this to be either not serious enough to justify separate criminalisation, or they might argue that this conduct is sufficiently covered by existing criminal law (eg, telecommunications privacy rules, or even generic data protection rules). Thus, the main conclusion appears to be that the existence of separate criminal provisions is justified by the perception of a regulatory vacuum, and that there is no indication of this perception being shared between the surveyed countries. Finally, lawmakers are also faced with the challenges of introducing regulations which are sufficienly broad to apply to harmful activities, while avoiding the risk of formulating them in a way that could also cover harmless or even societally beneficial speech. One might consider the (frequently occurring) case of fake celebrity profiles on a social network, where the user of those profiles merely intends to amuse himself and others, or to deliver societal criticism (possibly through satire or parody), with no intention of making an illicit profit or causing harm. Whether such behaviour should be criminal or not (and indeed, whether it should be considered as identity theft or not) is a policy question which does not have a universal and clear answer. The possibility of new criminal provisions causing potential collateral damage to freedom of (lawful) expression should be carefully considered before introducing regulations. In this sense, the Canadian legislation appears to be more balanced than some of the other examples mentioned above. 8.1.2 Other offences applicable to identity theft incidents It has been noted that only few countries, such as Canada, France and the United States, have defined a crime in their legislation specifically addressing identity theft. Such separate definitions are clearly the exception rather than the rule at this time, and in all other jurisdictions identity theft may be punished only if it is part of or connected to another illicit behaviour. As a result, identity theft will thus fall under a different legal classification. In the country reports, we focused on four specific categories of crime that are frequently coupled with identity theft incidents: fraud, forgery, hacking and illegal data interference. These offences exist in some form in all countries covered by this study (although with some differences, as we shall explore further below). The country reports also noted that most instances of identity theft commonly violate data protection legislation in European countries, since the misuse of identity data violates the privacy rights of the data subject, at least in cases where identity theft involves the identity of an existing (non-fictitious) person, and when focusing only on natural persons (ie, excluding identity theft of legal persons, which is a notion that typically is not considered with any degree of detail in existing doctrine or jurisprudence). Generally speaking, identity theft as such is thus also a violation of data protection legislation even if no further offences are committed, and therefore identity theft can be (administratively or criminally) prosecuted in those countries where there is no specific crime of ID-theft. In that sense, data protection legislation can serve as a safety net in the EU when no other classification applies. However, it should also be duly acknowledged that this role as a safety net is mainly theoretical at this time. Data protection rules are only rarely applied to cases of identity theft in practice, as can been seen in the examined case law, and other criminal provisions (notably fraud and forgery) play a much greater role. Enforcement of data protection rules 85 RAND Europe & time-lex Chapter 8 Analysis of country summaries and recommendations is thus not likely to be an effective strategy to address identity theft, unless the emphasis on enforcement of these rules is improved significantly. Fraud and computer-related fraud Fraud is punished as a crime in all the countries covered by this study. Generally speaking, fraud can be defined as the act of using deception with the aim of appropriating somebody else’s property or to gain a financial benefit to the detriment of somebody else. The concept of deception may include the use of a false identity or of false pieces of identification. Fraud may exist if there are economic benefits for the perpetrator of the crime and/or economic disadvantages for the victim: the victim generally must suffer economic loss as a consequence of the fraud. By way of an example: if somebody claims a different identity to engage in personal contacts with another person without any financial interests, his/her behaviour will typically not be qualified as fraud (although other qualifications may apply; eg, in the case of sexual contact initiated on the basis of deceptive identity, this may be qualified as rape). If the deceptive use of the false identity (alleged or demonstrated through fake documents) has an economic goal, on the other hand, the case will typically fall within the borders of fraud. The victim of the fraud may be a person, a company or a public institution: one of the hypotheses examined specifically by the country profiles was identity theft in order to gain illicit social security benefits. Fraud, therefore, is very often linked to identity theft, and identity theft incidents are commonly prosecuted and punished if they are aimed to perpetrate a fraud, even if no formal classification of identity theft is (or can be) applied. Forgery and computer-related forgery Forgery is also punished in all the countries covered by this study, although there are differences regarding the nature and the punishment of the crime. Forgery is more related to identification than to identity86, in the sense that it regards the falsification of official or private documents, including identity documents such as identity cards, passports, birth certificates, etc. A qualification as forgery may be applied to an official document (ie, issued by a public institution or public official) or a private one such as a contract; it may be perpetrated by a public officer or by a private person. Depending on the case and the legislation involved, the person committing the crime may have a financial interest, or the crime may be committed with a view to economically benefiting third parties. In case of public officers, cases in practice are likely to involve corruption (which may lead to additional prosecution or higher sentences). Forgery can be also ICT-related, since it can be committed using electronic credentials and/or other tools for online identification. In many jurisdictions computer-related forgery is punished with ad hoc provisions, as the country profiles have shown. This is not surprising, since computer-related forgery is a part of the Convention on Cybercrime, 86 It is clear, therefore, that there is a conceptual difference between ‘identity’ and ‘identification’: the former is a characteristic of every individual (or even of a non-personal entity, such as a company or an association) that makes him/her unique, while the latter indicates the identity of the subject through external means such as documentation 86 RAND Europe & time-lex Chapter 8 Analysis of country summaries and recommendations which defines this crime explicitly in Article 7; thus, all signatories to this Convention may be expected to have similar criminal provisions in their legislation. Hacking The crime of hacking regards illegal access to information systems, and as such it may be linked to identity theft when a third party’s identity information (including specific credentials) is used to access an information system, or when such information is copied or stolen after a successful hacking attempt. Hacking is an offence in all countries covered by this study. However, hacking is a complex crime in the sense that it represents a step forward in comparison with identity theft: a hacker uses a false identity and/or falsified identification tools in order to get access to an IT system, with or without a financial motive. In many countries, hacking can only be punished if the author acted with the aim of gaining a profit or to cause damage: this applies in Austria, Latvia, Slovakia (where pure access to information systems without intent to cause damage is not an offence), and Slovenia (thus in 12 percent of the countries). Elsewhere, the crime of hacking exists only if the author actually caused damage or altered the functioning of the system: this is the case in France, Spain and the United States, and in Russia hacking includes also copying the output of computer systems and networks. Finally, in some other jurisdictions, including Greece, Lithuania and India, hacking may be punished only if the perpetrator unlawfully accesses a secured computer system. Thus, the use of false credentials to access information will not by definition be sufficient to be considered a crime in all examined countries, since additional requirements (damage or economic harm) may apply. These differences might result in certain examples of identity theft being punishable as hacking in some countries, but not in others. Illegal data interference The crime of illegal data interference in many countries corresponds to or overlaps with that of hacking; generally speaking, interference with the functioning of an information system is required. While in the case of hacking in some (but not all) countries a crime has been committed merely if one illegally accesses a system, in the case of illegal data interference it is necessary that at least the normal functioning of the system is altered. Illegal data interference includes the diffusion of viruses or other malicious software or applications with the aim of damaging computer systems, which can include, for example, the surreptitious installation of keyloggers to intercept usernames and passwords. The perpetrator of a hacking will usually be the person who accesses a computer system through falsified credentials; if the same person also destroys or modifies data or software on the system, he can be sentenced for illegal data interference as well. Therefore, this qualification would apply to any identity theft incidents involving the falsifying of identity information stored in an information system. In Germany, however, illegal data interference includes also illegal data interception: whosoever unlawfully intercepts data not intended for him, for himself or another, by technical means from a non-public data processing facility or from the electromagnetic broadcast of a data processing facility, commits a criminal offence. Thus, illegal interference can be combined with communications privacy regulations. 87 RAND Europe & time-lex Chapter 8 Analysis of country summaries and recommendations In other jurisdictions, such as the Netherlands, illegal data interference can be punished not only if committed with deceptive intent or with the intent to cause harm, but also if it is committed with negligence (and therefore it is non-intentional), while in other countries, such as Slovakia, only acts committed with the intent to cause damage are punishable. Intent is also required in the UK, where the requisite level is to cause a modification to the contents of any computer, and by doing so to impair the operation of any computer; or to prevent or hinder access to any program or data held on any computer; to impair the operation of any such program or the reliability of any such data. Finally, in other countries intent is necessary in order to punish the perpetrator as a general requirement of national criminal law (eg, in Italy). Data protection laws, communications secrecy laws and copyright The importance of data protection legislation should not be overlooked when examining identity theft, at least from an EU perspective. According to the provisions of the European Data Protection Directive (95/46/EC) as applied in all Member States, the name and other data linked to the identification of a person and to his/her identity are considered to be personal data, and therefore they cannot be processed without appropriate guarantees. A key requirement is the existence of a legitimate justification for the processing of personal data (Article 7 of the Directive), without which the processing of that data is not allowed. Obviously, the processing of personal data with the intent to commit a crime or to harm somebody cannot be considered legitimate, and will therefore always be in violation of EU data protection law. identity theft, in particular, is likely to violate several requirements linked to the processing of personal data, such as legitimacy requirements, proportionality obligations and the purpose restriction, transparency obligations, security obligations and formal obligations such as the prior notification to the competent national Data Protection Authority. Any identity theft incident is thus likely to also be a violation of Data Protection legislation in the EU. Generally speaking, such violations can be prosecuted before a court and before the national Data Protection Authority concerned. The victim, in fact, can request to the authority that the illegal processing of personal data is ceased. The authority may also impose a fine on the perpetrator, and the victim can obtain compensation for damages before the civil court. In other words, data protection legislation gives to the victim the possibility to be protected in case of illicit processing of ID data also in those cases where such processing is not (followed by) a crime such as fraud, forgery, etc.87 This is an important consideration, as it means that actions preceding identity theft which may otherwise not necessarily be punishable (eg, selling of stolen credit card information) can still be sanctioned. This also implies that in the jurisdictions where identity theft is not a crime as such, identity theft incidents are in any case unlawful and can be prohibited by public authorities. Violation of data protection regulations is some countries is considered as a crime with possibility of imprisonment (inter alia in Cyprus, Denmark, France, Germany, 87 As it will be pointed out infra, however, in some EU Member States such as Slovenia it is not possible for citizens to get protection from the national Privacy Authority in case of misuse or theft of their identity if the data processed are not part of a filing system 88 RAND Europe & time-lex Chapter 8 Analysis of country summaries and recommendations Greece, Italy, Malta, the Netherlands, Poland, etc.), while in other jurisdictions it is an administratively sanctioned behaviour (Bulgaria, Czech Republic, Lithuania, Romania, Spain). Potentially applicable privacy legislation has also been enacted by non-European countries such as: 1. Canada, where data protection regulations are very similar to the EU Directive. According to the national legislation, ‘Personal information’ is defined as ‘information about an identifiable individual’ other than ‘name, title or business address or telephone number of an employee of an organization’, and this definition includes email addresses that are traceable to the individual, as well as information that does not permit identification of an individual but relates to an identifiable individual, for instance, his or her shopping preference. 2. China, where the law of 1 July 1979 about privacy invasions imposes criminal liability on persons who misappropriate personal information during the course of performing their professional duties; both private sector and government agency personnel who misappropriate a citizen’s personal data are subject to the penalty. 3. India, where several sources are applicable in the data protection field, including in particular the Personal Data Protection Bill 2006. 4. Japan, where the Act on the Protection of Personal Information Held by Administrative Organs of 2003 forbids any specific person prescribed in the law who provides another person with or appropriates the retained personal information that he or she acquired with respect to his or her work for making illicit gain for himself or herself or for a third party; the specific person prescribed in the law is an employee or former employee of an administrative organ or an individual or a business operator entrusted by an administrative organ with the handling of personal information engaged in or formerly engaged in the entrusted affairs under the law. 5. The Russian Federation, where under the provisions of the Federal law of 27 July 2006 N 149-FZ identity theft instances are treated as illegal processing, since this violates the legal norm prohibiting the obtaining of information about the private life of a person (individual), including information relating to the person’s private or family secrets, against such person’s will, unless otherwise provided for by federal laws. 6. The United States, where there is not one comprehensive law governing privacy and data protection, but rather a set of provisions apply to specific aspects of it. Some laws address the issue of interception of electronic communication by government or private entities (eg, Electronic Communication Privacy Act (ECPA), the Computer Assistance for Law Enforcement Act (CALEA), and the Patriot Act). Other laws safeguard personal data in specific sectors (eg, the Health Insurance Portability and Accountability Act (HIPAA) with respect to health care) or of specific individuals (eg, the Children Online Protection Act (COPA) for children). Furthermore, certain states have enacted security breach notification laws that require companies to inform individuals of security breaches that might have compromised their data, and enable them to take the appropriate steps to protect themselves against falling victim to identity theft. Besides legislation on federal and state level, there is also a diverging set 89 RAND Europe & time-lex Chapter 8 Analysis of country summaries and recommendations of self-regulatory mechanisms in place that have an impact on the data protection and privacy environment in the US (such as the labelling schemes TRUSTe and the Better Business Bureau’s online privacy programme (BBBOnline), or the self-regulatory codes of conduct for certain sectors such as the one established by the Direct Marketing Association (DMA)). In other words, in all of the countries covered by the study, certain data protection/privacy legislation exists which could be applied to most types of identity theft by treating it as an illegal processing of personal data. This statement clearly applies to all EU Member States, but this possibility usually exists also in non-EU countries. It should, however, be acknowledged that privacy protection mechanisms are likely to be enforced only when the misuse occurs on a mass scale and/or when no complicated investigations are necessary. The typical incident of identity theft perpetrated by a single person in a social network environment is unlikely to be effectively addressed by data protection law, at least on the basis of the assessments provided in the country reports. The use of data protection legislation to combat identity theft is thus a theoretical possibility, but not usually a practical reality. It is more efficient for the victim to use criminal law tools (starting from reports to the police/public prosecutor) to obtain protection in case of identity theft incidents. The case law reported in this document, in fact, shows that perpetrators of identity theft are usually sentenced for penal law offences such as fraud, defamation, forgery, and so on, rather than for violation of data protection laws. Identity theft may also be the consequence of the violation of communications secrecy. It is fairly broadly accepted that private communications (by phone, on the Internet or through any other means) should be protected against disclosure or use by unauthorised third parties. Communications secrecy also includes the prohibition of communication intercepts unless they has been ordered by a competent public authority for legitimate reasons and purposes. The interception of private communications may, in fact, involve the acquisition of identity data (ie, a typical identity theft). These data then may be used to commit other crimes such as fraud, etc. 8.2 Civil sanctions Identity theft incidents may well result in an obligation for their perpetrators to compensate the victims for the damages they have suffered (if any such damages exist and can be shown). Compensation is a civil sanction which may be imposed by a judge if the victim can prove that he/she suffered damages arising from the identity theft. The concept of damages is not homogeneous in the countries covered by this study, especially when one considers indirect damages, including moral damages, damages to reputation, etc. (ie, all those damages that do not have a direct effect on tangible goods). This is, however, an issue that relates to civil liability for criminal activities in general, and that is not specific to identity theft. It is worth noting that here, too, the Data Protection Directive imposes a duty on Member States to ensure that ‘any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted 90 RAND Europe & time-lex Chapter 8 Analysis of country summaries and recommendations pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered’ (Article 23). Thus, insofar as the identity theft incident involves the unlawful processing of personal data, a theoretical reparation right exists in all EU Member States. 8.3 8.3.1 Case law review with respect to identity theft Introduction The sections above examined the extent to which legal provisions have been adopted that target identity theft or that could be applied to identity theft incidents. However, the country reports also examined the issue of identity theft in practice from the legal point of view through an assessment of case law. The mapping of this case law takes into account the spectrum of potential victims, namely (i) private individuals and organisations and (ii) public institutions. The country reports explored this spectrum through five sample situations of identity theft, covering both online and offline cases. The simplest form of identity theft concerns the fact of claiming a false identity online, online without necessarily further consequences. This does not inherently bring financial or economic benefits for the perpetrator, and the same applies to the fact of unlawfully using another person’s credentials. credentials The economic motivation is usually present in other illegal behaviours such as phishing, phishing using falsified identity documents to unlawfully apply for social benefits and trafficking in unlawfully obtained personal information. information A detailed overview of the case law reported in all these fields is provided in the following paragraphs. It is clear that there is a significant disparity in the penalties across the countries covered by this study, so that similar offences can be punished with noticeably different sanctions. However, it should also be acknowledged that this can be due to the vastly different details behind each individual cases, and that this disparity is also a conscious EU policy choice: both the Data Protection Directive and the Framework Decision explicitly allow Member States the right to determine appropriate sanctions. Thus, this particular issue of strongly diverging punishments is not an identity theft issue, but rather a result of the national autonomy of the EU Member States. Whether this disparity is necessary, fair or desirable is a different question, one that transcends the scope of this study. 8.3.2 Claiming a false identity online In several countries decisions related to claiming a false identity online have been reported. These cases include the fact of creating an account on a social networking site such as Facebook under someone else’s name. In fact, the majority of the decisions analysed in the country profiles concern social networks and discussion forums. More specifically, case law involving identity theft in social networks/forum environments has been reported in eight countries: - Belgium: in 2002, the criminal court of first instance in Liège ruled on a case in which a visitor created a false identity on a discussion forum. Using this false identity, the person solicited other visitors of the forum to send erotic messages to a phone number, which did not belong to him. The court ruled that the use of the false identity 91 RAND Europe & time-lex Chapter 8 Analysis of country summaries and recommendations constituted fraud and stalking (a qualification as computer fraud was not possible, as the relevant provisions had not yet been adopted at the time of the crime). The defendant was given a 3-year suspension of sentence, and was ordered to pay damages to the victim. - France: in the case ruled by the First Instance Tribunal of Carcassonne on 16 June 2006 a woman used different pseudonyms on a dating service website and described herself as an ‘easy woman willing to have sexual relations’. She provided her colleague’s contact details so that this colleague started receiving numerous messages from individuals eager to meet her. As a result, the colleague fell into a depression and had to ask for sickness leave. The convicted woman was deemed liable for volunteer duress with premeditation and had to compensate both her victim and the Public Health Insurance. - Greece: the Thessaloniki Court of First Instance, in the context of an injunction application, recently dealt with a case relating to the posting on Facebook of data without the permission or the consent of the person concerned (Decision 16790/2009). The defendant created a Facebook account under a fake name and posted defamatory information (and documents) about the plaintiff. This act was considered as unlawful processing of personal data and violation of the personality of the defendant. However, it should be noted that the decision on the case was not final at the time of reporting. - Hungary: a case involved the abusive use of photos and private data (address and telephone) of a woman on social websites dedicated to the provision of sexual services. The victim brought a civil action against the websites to the Pest Central District Court. According to the judgement the owner of the website, being an intermediate provider, is not responsible for the content. The Pest Central District Court thus refused the action and the plaintiff should pay legal costs. The Metropolitan Court of Appeal approved the decision in April 2009. In a similar case of falsified online ads (concerning the offer of a car and of sexual services, where the ads contained the nickname and phone number of the victim), the police identified the IP address from where the ads were sent and the City Court of Hatvan found two defendants guilty in violation of the data protection laws and for the offence of harassment in 2007. Each defendant was sentenced with a fine of 100,000 forints (about €400). The Supreme Court approved the decision in December 2008. - Italy: in 2007, a man was found guilty of creating a false ID online, along with an email account, with the aim of seeking out people to propose false work opportunities to and eventually to ask for personal and fiscal data. The Italian Cassation Court has sentenced the defendant for violation of Article 494 of the Criminal Code (substitution of person) to 10 months imprisonment. - Poland: according to the Data Protection Ombudsman several cases have been reported by concerned individuals. Those cases involved a Polish counterpart of Facebook, Nasza Klasa, and in particular the act of establishing false profiles of wellknown individuals, politicians in the first place. Most often the content of those 92 RAND Europe & time-lex Chapter 8 Analysis of country summaries and recommendations profiles has been insulting and defamatory, which triggers defamation laws as applicable. Reporting individuals have been directed to law enforcement agencies by the Data Protection Ombudsman in those cases. At that point the Ombudsman has lost track of the cases, and their outcome has not been reported to the broader audience either. In another case, concerning the establishment of a false profile on an erotic social network, the deed has been reported to law enforcement agencies by the Data Protection Ombudsman. Criminal charges have been conditionally dismissed and the victim has been awarded damages. - The Russian Federation: in 2007 the City Court of Yoshkar-Ola in Mari El Republic decreed that on a dating website two locals created false accounts of non-existing women that were willing to marry wealthy foreigners. These people posted photos of famous actresses and ballet dancers and provided false address, biography and passport details. In the process of communication the would-be brides asked potential fiancés for money so that they could go and visit them, as well as to pay for a foreign passport, visas, tickets, etc. Criminals received money in the banks of Yoshkar-Ola and Cheboksary through international money transfer systems Western Union and MoneyGram. After the payment communication with the victims stopped. It was found that during the three years of these activities the criminals received over 1 million roubles (around €25,000) from twenty nationals of the UK, USA, Germany, Austria and China. The court decreed that using a false identity account constituted fraud committed by an organised group. Both criminals were sentenced to 3 years in a standard regime penal colony. - Sweden: in 2008, the district court in Växjö decided in a case, in which somebody accessed a social networking site with another person’s login credentials and altered information on that person’s profile in a derogatory way. The perpetrator was convicted for illegal access and sentenced to a fine and ordered to pay compensation for damages. It has to be highlighted that in the abovementioned cases the defendants were sentenced on the basis of ‘traditional’ criminal qualifications (such as fraud, stalking, voluntary duress, defamation and harassment) rather than for computer crimes (with the exception of the Swedish case). Often, however, the unlawful processing of personal data has been noted and condemned as well, which illustrates the ‘safety net’ role that this legislation could play with respect to identity theft incidents. Regarding the violation of data protection legislation, in some countries it has been reported that the national privacy authority cannot take any action to protect victims. More specifically, in Slovenia the Information Commissioner has received several complaints regarding false accounts on Facebook and false email accounts. Since the Commissioner doesn’t necessarily consider this to be processing of personal data (the data processed are not part of a filing system) he is usually not competent in such cases. The Commissioner advised the victims how to report such false accounts directly on the web page and to turn to the police or the competent public prosecutor’s office (thus without taking any action directly). 93 RAND Europe & time-lex Chapter 8 Analysis of country summaries and recommendations In three other countries case law has been reported that was not related to misuse of social networks/forums. In Germany there is a string of well-established cases where courts have found that the right to one’s own name entitles one to forbid the unauthorised use of the same name by another person, in particular if the use of the same name causes a likelihood of confusion. This right to one’s own name may also apply to the use of company names, trade names, domain names and even abbreviations of names. In Japan in 1997 the Kyoto District Court issued a judgment on the case of a defendant who changed the official address of another person to avoid detection of the fraud that the defendant performed under another name on a bulletin board system. The defendant was sentenced to 2 years in prison with a stay of execution for 3 years with the probation for the offence of forgery. Finally, in Malta in the case Police vs Olaf Cini et (Court of Magistrates, Criminal), case No. 64/2006, the defendant was found guilty of committing the offences of forgery of private writings and false declaration or information to a public authority respectively, because he had sent an email which he signed using someone else’s information without that person’s consent or authorisation. 8.3.3 Unlawfully using another person’s credentials The country profiles reported several cases of unlawfully using another person’s credentials, for example, using someone else’s username or password to send emails in his/her name. The mapping of the case law available shows that many decisions concern the use of stolen credit/debit cards, or in any case relate to the banking and financial sector. This is the case in the following thirteen countries: - Belgium: several cases are known, specifically in relation to using a third party’s stolen credit card. After a ruling by the Supreme Court in 2003, most criminal courts have found this to constitute computer-related fraud. - Bulgaria: several cases are known, specifically in relation to: (i) unlawfully obtaining data related to third party’s bank cards by using special technical means; (ii) reproduction of false plastic copies of bank cards by using unlawfully obtained data regarding such bank cards (forgery); (iii) and respectively, usage of someone else’s bank card or a plastic copy of such a card (fraud). - Denmark: several cases are known in relation to using a third party’s stolen credit card, which is found to constitute fraud. - Estonia: the Estonian Supreme Court dealt with cases where third party’s bank identifier codes have been used to get access to Internet bank accounts. The Supreme Court found this to constitute computer-related fraud. - Finland: there are several cases specifically in relation to using a third party’s stolen credit card. Paying for purchases with a stolen credit card is qualified as fraud in Finland. However, most of these offences are not committed online. For example, in 2009 the Kouvola Court of Appeal ruled that usage of a credit card accidentally found and falsifying the signature when paying with the card constituted a fraud and forgery. The defendant was sentenced to imprisonment for one month but the sentence included two petty thefts as well (the district court had sentenced him to imprisonment for two months). 94 RAND Europe & time-lex Chapter 8 Analysis of country summaries and recommendations - Greece: the Greek Courts have treated the use of credit/debit cards in different ways. The Athens Court of Appeals in its decision 1904/1991 considered the use of a cashcard and its secret code as theft, without even considering the aspect of ICT-enabled fraud. The Military Court of Athens (2897/1994) also considered this action as theft. However the Admiralty Court of Piraeus in its decision 418/1996 considered the use of the bank card of another person as fraud with a computer. The three-member Criminal Court of Athens ruled in its decision 3668/2006 that the two defendants that had hacked into the computer system of a bank and transferred an amount of money from the bank account of a foreign citizen to their bank account were to be convicted for the offences of fraud with a computer and for violations of data protection law. - Hungary: there is case law involving the sending of faxes. The Municipal Court in 2007 heard the case of a bank employee who, without authorisation, accessed the sleeping accounts of seven clients containing large amounts of money on the bank information system. He made snapshots with a digital camera of the displays, which contained the details of the bank accounts (personal data of the holder, the amount and currency, and secret password code required for the transfer). A second defendant had opened two bank accounts using lost and falsified ID documents that contained his own photos, but one of which used a falsified name. Unknown persons started the bank transfers by fax – containing the secret password and code – sent from a foreign country phone number (traced to a Serbian city) to the Hungarian accounts. The identity of the accomplices remained unknown. The Municipal Court found the first defendant guilty for the crime of fraud together with the crime of violation of banking secrecy and the offence of forgery of official documents. The second defendant was found guilty for the crime of continuously committed fraud together with the continuously committed crime of forgery of official documents. - Japan: in 2004, the Supreme Court sentenced a defendant who pretended to be a holder of a title deed and used a credit card for fraud. In 2006, the Supreme Court found the offence of computer fraud in the case of a defendant who inputted the names of the holder of a title deed of the credit card which he stole into a computer and purchased electronic money. From a different perspective, in 2007 the Supreme Court heard the case of a defendant who stole the ID and password of another person and used it illegally; they sentenced him for the crime of unauthorized creation of electromagnetic records because he changed a password illegally. - Malta: Maltese Courts have pronounced several judgements relating to fraud by persons using the credentials of another person. For instance, in the area of banking and finance, Police vs Mary Magdalene Sultana (Case Number 12/2010 – Court of Magistrates, January 2010): in this case the defendant was sentenced for committing several offences (inter alia, forgery of any authentic and public instrument or of any commercial document or private bank document and fraud) by defrauding a bank of €18,600 after using a false identity when she presented herself at the bank’s branch and pretended to be somebody else (who turned out to be her friend). She was accused of first appearing at the Identity Card department and there she applied for an identity card in the name of another person (claiming that she – or rather that other person – 95 RAND Europe & time-lex Chapter 8 Analysis of country summaries and recommendations had lost her identity card). Following the issuance of this ID card she managed to obtain a loan of €18,600 from the bank. - Romania: in a recent case, the perpetrators were convicted for breaking into the accounts of several persons with eBay accounts, posting false messages inducing the victims to send money for items which never existed. The perpetrators were sentenced to imprisonment for three and a half years for computer-related fraud, fraud, and illegal access to information systems. - Slovakia: several cases are known, specifically in relation to the fact of using a third party’s stolen credit card. This is likely to constitute computer-related fraud. One interesting case took place in April 2005, when a perpetrator accessed an email account on AZET (a webmail system) in the name of his ex-girlfriend. Through this email account he sent messages to her colleagues containing untrue, disparaging and defaming information about the victim. The action of perpetrator was qualified as vilification and he was criminally sanctioned with a fine of 20,000 SKK (around €500 at the time). The victim received 120,000 SKK (around €3,000 at the time) for damages in civil proceedings. - Germany: in both civil and criminal proceedings concerning the unauthorised use of unlawfully obtained data containing personal identity information, courts have found that the unauthorised use of such unlawfully obtained data for a transaction causing damage to the victim’s financial position may constitute a criminal offence of fraud or computer-related fraud. - Sweden: several cases concern third party’s stolen credit cards or unauthorised use of such credit cards. These crimes usually constitute fraud. We see, therefore, that the fact of unlawfully using another person’s credentials such as credit/debit cards can be qualified in different ways: in all of these countries these incidents have been qualified as fraud or computer-related fraud; in four other jurisdictions they have been considered as forgery, in two more as theft and, finally, in two others as unlawful access to information systems (for the latter three qualifications, in conjunction with fraud). A second large group of cases regard the unlawful use of somebody’s credentials to access his/her email account or his/her profile on a social network. Usually the unlawful access was then followed by further illegal activities such as defamation, posting indecent material, etc. The mapping of the case law shows the following results in five countries: - France: according to the Ruling of the Supreme Court of 20 January 2009 the perpetrators of the crime had published pictures of the victim naked on the Internet making use of her email address. The offenders have been convicted on the basis of identity theft and for violation of the right to privacy. - The Russian Federation: there have been a number of cases of digital identity theft. The most interesting recent case was classified as extortion. In 2009, in Tambov, Mr V, an administrator of an Internet café, stole several IDs and gained illegal access to the account of one of the clients at the social networking site www.odnoklassniki.ru. He later extorted money from Ms X, threatening to distribute discrediting photographs of her on the Internet. Mr V was charged with extortion, unauthorised 96 RAND Europe & time-lex Chapter 8 Analysis of country summaries and recommendations access to computer data protected by law, violation of privacy of correspondence, illegal collection of information on a person’s private life constituting their personal secret and disclosure of this information without their consent. The convict cooperated with the investigators and was given a conditional sentence of 2 years. In addition, Mr V had to pay 10,000 roubles (around €250) to the injured party for moral damage. - Slovenia: it has been reported, inter alia, that the Information Commissioner investigated a situation where an individual illegally accessed email accounts of his former boss and co-workers by successfully guessing/knowing their passwords. The case was forwarded to the police and the public prosecutor brought charges against the individual for suspected violations of abuse of personal data, violation of secrecy of means of communication and unauthorised access to an information system. - Spain: several cases can be identified, and the following are particularly interesting: (i) sentence no. 48/2009, of 10 March, issued by the Provincial Court of Navarra (1st Section), confirming a Resolution of the Pamplona’s Criminal Court of 16/10/08, in the case of a civil servant who observed a colleague working next to him typing her computer’s username and password, giving access to all her files and email account. The perpetrator then accessed from his own post the victim’s email account, sending erotic messages, signed with the victim’s name, to 35 professional colleagues included in the victim’s contacts. He was criminally condemned for an offence against intimacy, using someone else’s personal data, to imprisonment of 6 months and fine of €1,800; (ii) sentence 236/2009, of 27 October, issued by the Provincial Court of Albacete (2nd Section), confirms the Resolution of the Criminal Court of Albacete, of 28/07/08, and condemns an ex-husband for a criminal offence against intimacy and revealing secrets for having unlawfully accessed his ex-wife’s email account, introducing an offending phrase in the details to be shown to her contacts in her communications, and for having participated in messenger chats under her name, in a highly self-offending and very indecent way, and also sending erotic pictures of the victim (taken by the husband while living together). He was imprisoned for 1 year, with a fine of €2,160. - Sweden: an Appellate Court decided in 2002 that the use of someone else’s username and password for Internet access constituted computer-related fraud. In another more recent case from the district court in Göteborg in 2008, a person ordered goods online by using false names and email addresses. He was convicted and ordered to pay compensation for the damages, and sent to prison for 2 months. Other countries present a more varied case law that does not fall neatly into one of the two abovementioned categories. Two particularly interesting cases were reported from China. In the first case, the Shaoyang Beita District People’s Court made a decision on identity theft crime in 2009. In this case, A paid to B CNY 50,000 (US$10,680) to secure a swap of identities and college-entrance examination information to enable A’s daughter to be admitted by a university under the name of C. C discovered that her identity was stolen when she tried to open a bank account, but was told that her identity was already in use. Nor could she find a job because the graduation and professional certificates she had been working towards could not be issued as they had already been issued to A’s daughter using 97 RAND Europe & time-lex Chapter 8 Analysis of country summaries and recommendations her name. Eventually A was prosecuted and detained on charges of forging official documents, certificates and seals and she was sentenced to a four-year fixed-term imprisonment. The university degree obtained by A’s daughter through identity theft was revoked. But C found that resuming her true identity took longer than expected because she was still turned down by both banks and on the job market. Although she sought civil remedies by suing A and others for infringing her right of name and education, it does not seem that she will obtain any compensation from the prolonged proceedings in the near future. In a separate case in August 2001, Shandong High People’s Court ruled for D whose constitutional right of receiving education was infringed by the defendant’s action of identity theft of college-entrance examination information. The decision was affirmed by the Supreme People’s Court in an official reply to Shandong High People’s Court. Unfortunately, the official reply was repelled by the Supreme People’s Court in a decision effective from December 24, 2008, which leaves uncertainty in the handling of identity theft cases. The Chinese case law is emblematic as it shows the potential consequences of identity theft: even if one may at first be inclined to think that the abuse of somebody else’s identity and identification credentials is not likely to be too problematic for the victim in the longer term, this is certainly not always true. This case law shows very clearly that the victim can suffer moral and financial damages even if the perpetrator did not commit other crimes such as defamation, and even after the perpetrator has been convicted and punished. 8.3.4 Phishing Phishing is the crime committed by a person who uses falsified information (eg, emails and/or falsified websites) to trick users into giving up identity information (eg, bank account numbers or passwords), typically in order to gain an illicit financial benefit. The phenomenon of phishing is unfortunately quite common and the number of potential victims is virtually unlimited, since the vast majority of the Internet population has an email account, telephone account and bank account. The economic impact of successful phishing scams is thus quite heavy, taking into account direct damages (those suffered by, for example, the owners of bank accounts that have been deceived) and indirect damages (those of banks and financial institutions that have to invest in security features while also risking the loss of users of their online services). The analysis of the case law reported in the country profiles shows that phishing is a global, borderless phenomenon. However, it appears that there are target countries and ‘countries of origin’: it has been reported that perpetrators of phishing elect a country from where they direct attacks to bank customers in other jurisdictions. In Romania, for instance, it has been reported that phishing attacks are the most common method for obtaining personal data that are further used in order to commit other crimes (and this statement applies to all countries). Incidents are initiated in Romanian territory, but are addressed to victims across the borders. In most cases, the perpetrators send emails on behalf of a bank asking the victims, located in other territories, to provide them with personal data and credit card codes. The information obtained is used to transfer money to other bank accounts. The methodology creates investigative problems, since the authorities 98 RAND Europe & time-lex Chapter 8 Analysis of country summaries and recommendations of the victim’s country need to be able to cooperate with Romanian law enforcement bodies in order to block the perpetrators. International cooperation requires time, and in fact in some countries, such as the Czech Republic, there have been several cases involving phishing in relation to which a criminal investigation has been initiated, but no final judgements have so far been issued. In other jurisdictions, however, the case law is more mature and court decisions can be reported. This is the case notably in the following countries: - China: in May 2009, the police station of Shanghai Baoshang District investigated a phishing website that had been tricking users into inputting their usernames and passwords for Taobao, an online transaction platform, in order to steal the money in the users’ accounts. In two months, the phishing website stole more than CNY 10,000 (around €1,000). In June 2009, four phishing website operators were arrested. In January 2010, they were sentenced by the Shanghai Baoshang District People’s Court to imprisonment for the crime of fraud. - France: two rulings of the High Court of Paris of 2 September 2004 and 21 September 2005 can be highlighted: • In the 2004 ruling, the First Instance Court of Paris sanctioned a phishing attack on the basis of fraud, unlawful access to a computer system and unlawful alteration of data contained in such system. The convicted had mirrored a bank website and by these means managed to order transfers of funds of his victims to selected bank accounts. The offender has also been convicted for attempted fraud and fraudulent access to an automated data processing system and received a suspended prison sentence of one year and a fine of €8,500. • In the 2005 ruling, the Court punished a phishing act on the basis of brand counterfeiting. The Court considered that the fake website illegally used the Microsoft brand and reproduced and disclosed without prior authorisation the registration page of MSN Hotmail. The sanction remained low (€500 fine with suspended sentence and €700 of damages to be paid to Microsoft) because of the young age of the offender and the fact that no personal data had actually been gathered. However, this decision is interesting since it is the only one that indicates that phishing attacks also involve copyright/trademark violations, and that they can thus be punished as such even if the perpetrator does not manage to gather personal information and/or gain a financial benefit. - Germany: in several cases courts (in civil proceedings where victims sued for damages) have found that the use of data obtained by phishing for a transaction causing damage to the victim’s financial position may constitute a criminal offence of computer-related fraud, entitling the victim to recover damages. - Italy: in 2008, a cyber attack against the Italian Post Company and one of the major banking and financial institutions was prosecuted under Art. 494 of the Criminal code (‘substitution of person’), together with Art. 617 sexies (‘falsification or alteration of electronic communication data’), Art. 640 (‘fraud’), Art. 615 ter (‘abuse and intrusion into electronic systems’) and Art. 12 of the Law 197/1991 (‘abuse in use of credit cards 99 RAND Europe & time-lex Chapter 8 Analysis of country summaries and recommendations and payments’), based on the intent of the criminals to use a false ID to break into the companies’ electronic systems and steal money. Cases of ‘SMS phishing’ and other online phishing have been prosecuted as well. For example, in 2008 a courthouse sentenced a man for ‘manipulation of electronic communication for the purpose of fraud’ to imprisonment for 20 months. - Japan: in 2008, the Kyoto District Court ordered a 3 years 6 months jail term and fine of 1,000,000 yen (around €9,000) for a defendant who committed fraud and an unauthorised creation of electromagnetic records, for an incident involving the unauthorised access to an ICT system using the personal information of another person that he got by phishing. - The Netherlands: the case of the Amsterdam Court of 28 May 2003 regarding a Nigerian scam can be reported, where people were tricked by email. The suspect was convicted for money laundering, involvement in a criminal organisation, fraud, forgery and possession of forged travel documents to a fine of €411,440 and 4 years 6 months imprisonment. - Sweden: the district court of Uppsala ruled in a case in 2010, in which somebody lured the victims via telephone into sharing their access codes. The perpetrator was convicted for gross fraud to 10 months imprisonment and ordered to pay compensation for damages of about 80,000 SEK (around €8,000). - The Unites States: United States vs Goodin, US District Court, Central District of California, 06-110, can be reported as an example. The defendant violated federal law by sending customers of the ISP America Online thousands of unsolicited emails that falsely purported to be from the AOL Billing Department. With these messages the defendant prompted the receivers to update their personal and credit or debit card information. The spam emails were sent from fraudulently created email accounts and contained weblinks to false AOL webpages, which in turn contained computer code directing the provided information to email accounts controlled by the defendant. He then used the information to make unauthorised purchases. On 11 June 2007, the defendant was sentenced to a total of 70 months of imprisonment. The judgment was affirmed by the Ninth Circuit on 17 December 2008. Taking into account the high number of phishing attacks worldwide, it may be surprising that the case law to be reported in the countries covered by this study is relatively limited. This is probably due to several different reasons, including difficulties in conducting investigations and the fact that attacks are often originated in a different country to that of the victims. This theory seems likely if we consider that the abovementioned decisions, at least in the case of France, China, Japan, Sweden and the United States, concerned phishing attacks perpetrated from the national territory. Cross-border investigations (requiring the linking of an IP address to a foreign individual) can be much more complicated than purely national cases. However, the mapping of the case law shows that when investigations are possible and a perpetrator can be found, he is likely to be sentenced at least for fraud, though often in combination with other offences. 100 RAND Europe & time-lex 8.3.5 Chapter 8 Analysis of country summaries and recommendations Using falsified identity documents to unlawfully apply for social benefits Identity theft, as we pointed out above, is very often committed in order to gain an illicit financial benefit. In the case law so far, we have reported situations of illicit gains with direct damages for private companies and individuals who, for instance, lost their money from bank accounts. Identity theft may be directed also against public institutions, to obtain social benefits that would not be granted otherwise, for example. The phenomenon of identity theft in the social security sector (so-called ‘social fraud’) cannot be neglected. In many countries it has been reported that the impact of this form of criminality is particularly large. In Ireland, for instance, prosecutions for social welfare fraud are relatively common and approximately 380 cases were referred to the courts in 2009, according to a press release of 8 December 2009 from the Department of Social and Family Affairs. In Belgium, too, social security fraud by means of falsified identity or by means of falsified supporting documents is a serious issue that has a notable financial impact on the state’s budget. According to the Belgian government, in 2008 the public authorities paid €2.55 million to people who applied for employment benefits without any right to obtain them; this is, of course, only a small part of social security benefits so that the total losses to ID fraud are certainly bigger. Similarly, in China there have been disputes concerning people who submitted falsified ID documents to apply for governmentally subsidised housing benefits. This implies that in several jurisdictions the case law in the field is particularly rich. The following examples, inter alia, can be reported: - Bulgaria: the courts, including the Court of Cassation, state that the use of false official documents to unlawfully apply for and obtain pensions and compensations is documentary fraud. - Denmark: in a case from 1996 an Algerian citizen was convicted to 3 months of imprisonment for forgery and fraud using falsified documents to prove that he was a French citizen and thereby claiming social benefits amounting to DKK 71,000 (around €9,500). - Finland: like in Belgium and Ireland, there are several cases in which a person has applied for social benefits by using other kinds of falsified documents (ie, other than identity documents) or has provided the authorities with incorrect information or has concealed relevant information from the authorities. In those cases the offences have been classified as fraud and/or forgery. As an early example, in 1978 the Supreme Court ruled that falsifying a (school) report card and the use of the report card when applying for a training grant/education allowance constituted an attempted fraud. - France: the Supreme Court in a judgment of 28 March 2006 confirmed the criminal sentence pronounced by the Court of Appeal of Basse-Terre against a woman who lied about her real name to obtain official identity documents (providing a third party’s name) enabling her to opt for social benefits. The Appeal Court sentenced her to six months of imprisonment (suspended) for identity theft, to another six months of imprisonment (also suspended) for the use of falsified documents to obtain a benefit and ordered her to reimburse the sums that had been paid to her by Social Security Funds. 101 RAND Europe & time-lex Chapter 8 Analysis of country summaries and recommendations - Germany: the prevailing case law criminalises the act of using falsified identity documents in order to unlawfully receive social benefits as fraud. There is a legal obligation for welfare recipients to always state the truth. Thus, an error about identity need not be elicited by special acts of the applicant. Even an accidental error of the public agency has to be clarified. Any deviation is treated by the courts as fraud committed by omission. Perpetrators will be punished with imprisonment or a fine. Any single verification of social benefits counts as an independent criminal act and will be penalised. Courts regularly even qualify social fraud as a criminal act committed on a commercial basis, which is penalised as an especially serious type of fraud with imprisonment from six months to ten years. Furthermore, perpetrators will have to face two incidental legal consequences: (i) the reclaiming of unlawfully received social benefits, and (ii) an entry in the criminal records and the police clearance certificate. Even first offenders receive such an entry in their criminal records and police clearance certificate if fines have been imposed at more than ninety daily rates. - Greece: in its decision 887/2008, the Supreme Court ruled in a case in which a citizen managed to deceive the authorities with regard to her date of birth in order to receive a pension from the Social Insurance Institute under the early retirement scheme. - Italy: there are many cases of social fraud. A particularly interesting case regards the ongoing investigations of the office of the Prosecutor of Rome, as reported by the press.88 According to the investigations carried out so far, it seems that 300 people (mainly lawyers) falsified the signatures of Italian citizens living abroad in order to apply for social benefits and/or to ask to the competent courts to grant social benefits. The defendants are likely to be charged with the offences of fraud, forgery and substitution of person. In February 2009, a group of 29 false disabled persons, who were benefiting from a one-year state pension and assistance, with the support of friendly doctors and public officers, were arrested in Naples by the police. The Court of Naples qualified the crimes as forgery (offline) of official documents and as fraud against the Public Administration. The organisation was globally sentenced to 80 years of imprisonment and a fine of €100,000 to be refunded to the Italian budget authority. The individual defendants were sentenced to imprisonment (from a minimum of 2 years and 4 months to a maximum of 10 years), in accordance with the seriousness of the disability claimed (and the consequent amount of the undue pension provided). - Malta: there are several judgements of the Courts of Malta relating to this matter, such as, for instance, Police vs Luigia Zarb Case No. 966/2005 (Court of Magistrates). In this case the accused was found guilty of (i) using false names and of committing fraud, (ii) of making false declarations in documents intended for a public authority and (iii) of infringing the Social Security Act by declaring false information about her inheritance and by presenting falsified documentation. 88 See, as of 28 January 2011: http://roma.repubblica.it/cronaca/2010/08/06/news/pensioni_fantasma_maxi_truffa_all_inps6101257/index.html 102 RAND Europe & time-lex Chapter 8 Analysis of country summaries and recommendations - Belgium: the case law in the field is extensive. One notable case that can be mentioned here is Court of Brussels of 21/5/2004: a person who falsified his identity documents in order to obtain social benefits was sentenced (for this fact in combination with other crimes) to 3 years imprisonment and a fine of €1,000. - Spain: many decisions of the Spanish courts can be reported, including the Sentence no. 1581/2005 of 26 December issued by the Supreme Court (Criminal Section), where an illegal resident in Spain used a falsified copy of someone else’s resident card and working permit in order to get a labour contract and to have access to Social Security and to open a bank account. She was criminally condemned for usurpation of someone else’s ‘civil status’, with imprisonment of 7 months. Furthermore, there are also cases of illegal immigrants who, while using a false identity, obtained social benefits (a pension) derived from a professional accident, being criminally condemned for usurpation of ‘civil status’, but being recognised by the Social Courts their right to the pension, as in Spain foreign workers have this right even if they do not have a residence or working permit (see Sentence no. 7974/2006 of 15 November of the Superior Court of Catalonia – Social Section). The Netherlands, on the other hand, reflect a different trend, since relatively few cases of identity theft to apply for social benefits are known. The Ministry of Social Affairs and Employment states that it does not occur frequently since it is much easier to use authentic identity documents to obtain social benefits and then work undeclared rather than using falsified documents. This implies that the impact of identity theft on social security depends on the national legislation and status of social benefits. Generally speaking, however, also in those countries where many categories of citizens and foreigners may have a right to benefits, the gravity of social fraud (often perpetrated through identity theft) is notable. 8.3.6 Trafficking in unlawfully obtained personal information Finally, the country reports also examined trafficking in unlawfully obtained personal information, ie, of personal data collected through identity theft. This trafficking includes, for example, the selling of databases of email addresses to email marketers. It is clear that identity theft in these situations is preparatory to the trade of the data illicitly obtained. The mapping of the most interesting case law reveals the following decisions in six countries: - Belgium: in 2000, the criminal courts of Ghent ruled in a case in which a hacker had collected ISP customer data (username, password, email addresses and credit card numbers) which he subsequently released to press agencies. The hacker was convicted for violation of communications secrecy laws and fined. - China: in 2009, A illegally purchased a detailed log of telephone calls made by highranking local government officials, then sold it to fraudsters who used it to impersonate the officials over the telephone. The fraudsters convinced friends or relatives of the officials that the officials needed money for an emergency situation, and then they induced them to transfer money to a bank account controlled by the fraudsters. While the fraudsters were prosecuted for fraud, A was convicted by Zhouhai Xiangzhou District People’s Court for the crime of illegally obtaining a 103 RAND Europe & time-lex Chapter 8 Analysis of country summaries and recommendations citizen’s personal information. A was sentenced to 18 months imprisonment and a fine. The case showed that not only selling or illegally providing citizen’s individual information to other persons by working personnel of particular organisations, but also the illegal obtaining of such information by way of theft or other means, where the circumstances of the case are serious, is subject to penalty. For these reasons this case is particularly notable and shows the maturity of the national case law in the field of identity theft. - Greece: in 2003 the Supreme Court dealt with a case in which perpetrators, acting together and with common intent, copied onto diskettes a list of clients from the victim’s computer with the intention of using the clientele in a competing travel agency that the perpetrators established following the departure of one of the perpetrators. The Supreme Court held that the offence of violation of secret computer elements or software was committed. - Ireland: the Data Protection Commissioner has dealt with an inquiry relating to an offer of the ‘gift’ of a database of names and addresses that had been made to a charity. The charity asked for advice from the Commissioner’s office as to whether they could accept this gift. The Commissioner expressed the view that acceptance of the gift would involve breaches of the fair obtaining and compatible processing requirements of the Data Protection Acts. - The Russian Federation: in 2009 a court case of Mr Sh, a national of Moldova, was examined. He sold the personal data of the clients of a famous insurance company. The court ruled that from October 2006 to June 2008 Mr Sh was working as a top specialist in the department of telephone sales at OOO Rosgosstrakh-Stolitsa and had access to client databases containing key data of its clients constituting trade secrets, specifically: their full personal data, including surnames, names and patronymic names, permanent addresses and resident addresses, telephone numbers, insured objects (car brands, identification numbers, registration codes, years of manufacture), amount of insurance premiums, duration of contracts, and insurance policy numbers. During this period the criminal copied the client database onto his personal data storage device (a memory stick). On 6 February 2009 he found a customer interested in this information on the Internet and arranged a meeting. The buyer was, however, an employee of the economic and information security department at OOO HC Rosgosstrakh, and Mr Sh sold him the data on more than 34,000 natural persons for 50,000 roubles (around €1,250). After that, he was arrested by police. Mr Sh was sentenced to one year in a penal colony for illegal disclosure of information constituting a trade secret without consent of its owner out of pecuniary interest after acquiring the information at workplace. - Slovenia: the Information Commissioner investigated a case of illegal transmission of personal data between two insurance companies. Personal data of 2,300 individuals was sent from one insurance company to another, and used by the latter for direct marketing. Sending of data by the first insurance company and use of these data by the second was performed without the respect of the necessary legal ground. The first insurance company was fined €112,000 and its responsible person €2,000, whereas the second company was fined €108,000 and its responsible person €20,000, both for 104 RAND Europe & time-lex Chapter 8 Analysis of country summaries and recommendations violation of the Personal Data Protection Act. One of the companies appealed to the court, whereas the second one paid the fines without appealing. 8.4 8.4.1 Identity theft reporting mechanisms Introduction The sections above have mainly examined the strictly legal responses to identity theft, namely which laws exist, and how they are applied. But before this becomes relevant, incidents need to be identified. The importance of efficient reporting mechanisms in the field of identity theft (or in the field of any Internet-based crimes/problems) is pivotal. Identity thefts, due to their nature, in the vast majority of cases are not prone to be discovered by law enforcement officers if the victim of the incident, or at least a witness, does not report the incident to the competent authorities. This consideration applies to both online and offline identity thefts, and in the case of Internet, the transnational nature of the incident will also frequently play a role. In other words, two elements are absolutely crucial in order to set up an efficient system to combat identity theft (or Internet-based crimes): a transparent and effective reporting mechanism for victims of incidents, and transnational cooperation between the authorities in charge of collecting those reports. These issues, especially the first, have been assessed in all of the countries covered by the present study. The analysis shows that the public authorities of almost all of them have set up online or offline reporting mechanisms for identity theft incidents, other Internet-based crimes or crimes in general, or, at least have set up awareness-raising campaigns or created dedicated websites where potential victims may get information about existing risks and how to be protected. However, when looking specifically at identity theft, only a limited number of countries have implemented reporting mechanisms. In the next paragraphs we will provide an overview of existing reporting mechanisms in the countries covered by the present study, taking into account that a distinction must be made between: o Online and offline reporting mechanisms; o Reporting mechanisms dedicated to identity theft incidents, reporting mechanisms for Internet-based crimes and reporting mechanisms dedicated to all crimes. Without entering into further details at this stage, we can note that many countries have set up general online reporting mechanisms (and in some other countries it is possible to send complaints about identity theft incidents by email, so that the number of jurisdictions where only paper-based reports are accepted is relatively limited), but that only a few of these have implemented online or offline reporting mechanisms exclusively dedicated to identity theft incidents. The fact that identity theft incidents are to be reported using a website where any other crimes can also be declared does not, of course, mean that the reporting system is not efficient or that it is less efficient than in those countries that have a dedicated reporting 105 RAND Europe & time-lex Chapter 8 Analysis of country summaries and recommendations mechanism, provided that the victim can obtain enough information about what identity theft is and how it can be reported. Education and awareness are thus very important: unlike traditional crimes, which are sufficiently recognisable to most citizens without difficulties, this is not necessarily the case regarding identity theft (the same applies to phishing, etc.). This explains why educating Internet users and potential victims is as important as providing them with efficient reporting mechanisms. 8.4.2 Ad hoc online and offline identity theft reporting mechanisms As a first category in this analysis, several countries have implemented specific systems and tools expressly aimed to receive complaints about identity theft incidents, a summary description of which shall be provided below. The country with the most sophisticated online tools to report identity theft is the United States, States where a variety of online reporting mechanisms are available for victims of these incidents. The primary one is the Federal Trade Commission’s identity theft Complaint Form. This tool allows the submission reports about online and offline identity theft incidents, using both online mechanisms and by phone. The Federal Trade Commission stores all reports in a dedicated database of online and offline identity theft incidents, which can be shared with private entities when this is useful for investigations or to better combat identity theft. In particular, the identity theft complaint form used by consumers online in order to file a complaint with the Federal Trade Commission can, in conjunction with a police report, become part of an identity theft report, which contains enough information about the crime to verify that someone became a victim of identity theft and in what way. These identity theft reports can then be submitted to credit reporting companies or creditors to gain legal protection against identity theft. The Federal Trade Commission works in collaboration with police forces and other law enforcement agencies across the United States, as the latter will be in charge of investigating the incidents and prosecuting their perpetrators. However, victims of identity theft can report it directly to the Federal Trade Commission, which thus acts as a single point of contact. Other US bodies have implemented their own identity theft reporting mechanisms, including the Postal Inspection Service, the Social Security Administration’s Office of the Inspector General, the Internal Revenue Service, the State Attorney General’s Offices, and the Internet Fraud Complaint Center. The extensive list above illustrates that in the United States identity theft incidents are perceived to represent a serious problem which is given due policy priority. The situation is rather different in Europe, where existing online reporting systems generally target all Internet-based crimes or, more generally, all kind of crimes (without specific emphasis on identity theft). The Netherlands are the exception to the rule, since the Dutch government has implemented its Central Reporting and Information Point for Identity Fraud and Identity Errors. In the Dutch portal, victims of identity theft incidents may obtain general information and also ask questions to the team at the Point about identity fraud and mistakes in the 106 RAND Europe & time-lex Chapter 8 Analysis of country summaries and recommendations registration of data. Furthermore, victims can report identity theft incidents: the claim is filed using a standardised document (available on the website of the Point) that then has to be sent by post. In other words, the reporting mechanism is, in fact, offline, as all communications between the Point and the reporter take place by regular mail. The Dutch portal is notable in one other respect, which appears to be unique among the examined countries: rather than being merely a tool to report identity theft, the initial report also triggers two-way communication. Specifically, the victim is given initial guidance on what steps to take next, and is thereafter frequently updated on the status of his/her report, including the status of investigations. In this way, the portal serves not only as a tool to collect complaints and pass those on to the relevant authorities, but can effectively serve as a single point of contact for the citizen. This can certainly be highlighted as a viable example of good practice. 8.4.3 Generic reporting mechanisms Whereas in the United States and in the Netherlands there are reporting mechanisms dedicated to identity theft, in several other states the competent authorities have set up generic reporting tools where identity theft incidents can also be reported. Several categories can be identified: Online reporting mechanisms for Internet-related crimes/problems In a number of countries victims or witnesses of any Internet-related offences (including identity theft) can report them to the authorities through an online form. The reader must be aware of the fact that in some cases these reporting systems are limited to ‘real’ crimes (ie, to facts qualified as criminal offences by the law), while in other jurisdictions the reporting tools can be used also by victims of disruptive behaviours that are not to be qualified per se as crimes. Generally speaking, online reporting mechanisms managed by the police or by law enforcement agencies can only follow up on reports about crimes (eg, the fact that somebody else creates a fake profile of another person on a social network, without pursuing defamation or fraud, is therefore excluded); reporting mechanisms managed by entities other than law enforcement agencies may usually accept reports about identity theft incidents that are not to be qualified as crimes as such. The following countries have online reporting mechanisms for Internet-related crimes: o Belgium: eCops, a general reporting site for Internet crimes, has been established. This site is managed by the Federal Judicial Police and it is not directly aimed at collecting reports of victims of incidents (who should instead directly contact the police). However, witnesses of Internet-related offences can report them to the Police using the eCops platform: all reports then will be transferred to the special Federal Computer Crime Unit of the Federal Judicial Police. o Bulgaria: here the site/tool Cybercrime.bg, managed by the Ministry of Interior, acts as single contact point and incidents related to phishing (and to other Internet-related crimes as well) can be reported. o Greece: the tool Safeinternet.gr, created in cooperation between public and private sectors, acts as an information portal for the reporting of Internet-based crimes. 107 RAND Europe & time-lex Chapter 8 Analysis of country summaries and recommendations The hotline Safeline.gr, the second pillar of Safeinternet.gr, can be used to report violations, mainly linked to illegal content on the Internet, but without excluding all Internet-based crimes and identity theft incidents (when these can be qualified as criminal offences). Safeline.gr thus is a single contact point to report Internetbased crime incidents in Greek and in English. Reports can be submitted online, by phone, by mail, by email or by SMS. All reports are then sent to the police and to the corresponding hotline, if any, in the country of origin of the crime. Several identity theft crimes can also be reported online to the Hellenic Authority for Information and Communication Security and Privacy. o India: there are several ways to report Internet-related offences in India. These are the online reporting mechanisms of the Indian Computer Emergency Response Team, those of the Cyber Crime Investigation Cells across India, and those of the Cyber Crime police stations (where the service is available). However, these services collect relatively few reports due to lack of information available to the public. o Italy: the CNAIPIC (Anti-Cybercrime Centre for National Infrastructure Protection) is a highly specialised cell of the Italian Police, which aims to prevent and deter cyber-threats. CNAIPIC has exclusive competence to prevent and investigate crimes concerning ICT systems with a serious impact or that are relevant to national interests. An operational contact point (managed by the helpdesk of CNAIPIC) is open 24 hours a day, 7 days a week; it is available for owners and managers of critical infrastructures and for other entities operating in the protection of such infrastructures. Therefore the helpdesk is not accessible to citizens and ordinary users. o Japan: the websites of the IT Promotion Agency and of the Internet Hotline Center provide users with the opportunity to report illegal Internet incidents (unauthorised accesses, damages to data, etc.), including those related to identity theft. o Romania: the website eFrauda.ro was established to collect complaints about Internet frauds and cybercrimes (including spam and spyware); however, at the time of reporting the site was inoperative. o United Kingdom: through the portal of Action Fraud, any offline or Internetbased incident relating to fraud (including identity theft incidents and phishing) can be reported using standardised forms, in order to facilitate the reporting and effective follow-up of any fraud. Action Fraud is intended for victims and witnesses of frauds and the data collected are forwarded to the National Fraud Intelligence Bureau and, when necessary, to local police forces. The list above focuses on reporting mechanisms for crimes. The following countries have reporting mechanisms for Internet problems (even when they do not necessarily qualify as crimes as such): o Austria: the reporting tool Stopline.at can be used to report Internet-based offences relating to (i) child pornography and (ii) promotion of national socialist ideas. Although in principle the reporting mechanism can be accessed only to 108 RAND Europe & time-lex Chapter 8 Analysis of country summaries and recommendations report the abovementioned offences, it is likely that reports about identity theft will be forwarded to the general IT-Crime Department of the Federal Criminal Police, competent for Internet-based crimes. o Cyprus: the portal of SafenetCY accepts, processes and forwards reports about all Internet problems, and addresses not only issues of pornography, but also racism, gender discrimination and inappropriate use of peoples’ images. Persons can report any content on the Internet that they believe is illegal or simply inappropriate or offensive. This includes websites, newsgroups, FTP, emails and chat rooms. After verification of any alleged illegal content, all reports are forwarded to the police and to the hotline (if any) in the country of origin of the illegal content. o Ireland: the platform Hotline.ie is a facility to report suspected illegal content (thus including criminal content, but also related to phishing and identity theft). o Finland: incidents related to electronic communications can be reported online to the Finnish Communications Regulatory Authority. o Latvia: it is possible to report problems online to the Computer Security Incident Response Team (DDIRV), part of the State Information Network Agency. Consultations and recommendations are available for every person who has submitted an incident report and DDIRV is responsible for security incident handling and prevention in the reporter’s network. o Lithuania: IT security incidents can be reported online via the general reporting website of the Lithuanian National Computer Emergency Response Team, which is part of the Lithuanian Communications Regulatory Authority. However, this reporting mechanism is not primarily intended for victims of Internet incidents, who should report them directly to the police. o Portugal: unsolicited communications and other malpractices on electronic communications (including those related to identity theft) can be reported online to the Telecommunications Regulatory Authority. o Romania: phishing incidents can be reported online to the Romanian Computer Emergency Response Team. o Slovenia: incidents linked to malpractices on electronic communications can be reported online to the Post and Electronic Communications Agency (the report must be digitally signed by the victim or reporter). Security incidents involving networks or systems in Slovenia can be reported by email to the Slovenian Computer Emergency Response Team Constituency. Online reporting mechanisms for all offences Online reporting mechanisms for crimes in general (thus not only Internet-related facts, but all offences) can also be useful tools in combating identity theft. These online mechanisms are generally managed by national or local police forces and collect complaints about facts, qualified as criminal at least prima facie by the reporter, that need further investigation. 109 RAND Europe & time-lex Chapter 8 Analysis of country summaries and recommendations Electronic reporting of offences via the website(s) of the police is possible in: o Finland, via generic police department sites. o Hungary, where online reporting at the crime prevention website of the police is possible; more direct online reporting of crimes to the police will be soon implemented in the framework of e-Government reforms. o Italy, where the online reporting of crimes to the police implies the instant opening of a crime report and where crimes specifically related to the telecommunications and postal service can be reported by email to a special department of the police. o Lithuania, where incidents can be reported online by victims via the website of the so-called Cyberpolice. o Luxembourg, where crimes can be reported online to the police, although the report must be then completed in the office of a law enforcement body by a physical complaint. o Malta, where online reporting to the Malta Police Force is possible. It is also possible to provide the police with general information about a fact without formally reporting a crime. If a crime has been reported, there is the possibility for the reporter to follow-up any file and to obtain information from the police about the reported incident. o Russia, where crimes can be reported through the portal of the police, which acts as point of contact for reporting any offence using standardised user-friendly forms. All registered statements and reports related to crimes and violations in computer information, Internet or other networks (including digital identity theft) are passed on to regional specialised and dedicated ‘K’ departments of the Ministry of Internal Affairs according to where these statements were registered. o Slovenia, where online reporting of offences to the Ministry of Interior through the e-Government portal is possible (reports must be signed with the digital signature of the reporter). o Spain, where crimes can be reported by email to the national police and online (and by email) to the Civil Guard. However, according to Spanish law, victims of crimes should always report the incidents in person, and thus the usage of online reporting tools would not be legally adequate. Cases of phishing can be reported by email to the Internet Domain Names Registry; however, victims should also follow the normal procedure with the police as reporting to the Registry is not enough to initiate formal investigations. The examples above show that police forces play a notable role in many countries in collecting reports about identity theft incidents and in opening investigations. If such incidents do not involve a crime, other actors may be involved, namely administrative bodies. The role of national Data Protection Authorities (DPAs) should be examined specifically in dealing with identity theft incidents, provided that, generally speaking, such incidents involve the violation of data protection laws as noted above, and therefore their perpetrators could at least in theory be sanctioned for this by the competent DPA. 110 RAND Europe & time-lex Chapter 8 Analysis of country summaries and recommendations In some jurisdictions identity theft incidents, when they involve the unlawful processing of personal data (as is normally the case), can be reported online to the national DPA, which will then start investigations. This may happen, inter alia, in Bulgaria, Finland, Greece, Latvia, Lithuania, Poland and Slovenia. In these countries it is of course necessary that the coordination between the different bodies and authorities involved is efficient, in order to avoid overlaps and double actions by different authorities to investigate the same incident. This applies also to countries where the intervention of the DPA can be requested offline – in this sense it would certainly be more efficient to have a single point of contact for identity theft incidents, as in the United States and in the Netherlands. As a matter of nuance however, it is worth noting that no case law has been identified where a DPA has issued sanctions to identity theft perpetrators. While this may be simply a matter of a ‘dark number’ (as such sanctions may not necessarily be made public), it is equally possible that such sanctions are rare in practice. Thus, the effectiveness of DPAs as an avenue for combating identity theft is uncertain. 8.4.4 Other reporting mechanisms and informative sites Some countries have developed other systems to combat identity theft and to manage reports about these incidents. In Canada, for instance, there are multiple points of information and only a few are dedicated to identity theft. There are, however, several phone hotlines and online filing systems managed by government departments and private entities where identity theft incidents can be reported. These tools only provide guidance on how to protect against identity theft and do not coordinate the further process (eg, investigations, notifications to the reporter, etc.) after the reporting itself. In China, although in principle all offences must be reported directly to the police, some non-governmental reporting mechanisms have been established in some regions (worth mentioning is the Anti-Phishing Alliance, which combines several business organisations). However, these provide reporters with information and technical solutions rather than with any legal follow-up. A notable role is played by the reporting site of the Internet Society of China. This maintains an online Illegal and Inappropriate Information Reporting Center. People may report phishing or other illegal websites to the Center. The Center will then forward the received reports to the competent authorities, such as the police. In Denmark, similarly, there is no general identity theft reporting mechanism, but all Danish banks have a reporting tool for problems with passwords and banking credentials. Denmark thus represents a good example of country where private entities (banks) set up reporting mechanisms for identity theft incidents. Banks will then forward the reports to the competent authorities: this system has the advantage that victims of identity theft incidents, at least when banking data are concerned, know immediately to whom such offences can be reported, as it will be more intuitive to an identity theft victim to refer to his/her own bank in case of troubles with password, credit card data, etc. Another example of private parties playing a supporting role in identifying and combating identity theft incidents is consumers’ associations. These can also take the initiative to report identity theft incidents to competent law enforcement agencies (eg, in Italy), or in 111 RAND Europe & time-lex Chapter 8 Analysis of country summaries and recommendations other countries (eg, Latvia) it may be possible to report incidents directly to such associations. Finally, it is worth pointing out the importance of information (and awareness-raising) campaigns and informative websites, where consumers and businesses can find information about the risks of identity theft and about how these can be prevented and reported, even if the sites themselves offer no reporting mechanisms. Examples of extensive informative sites about identity theft can be found in Belgium, the Czech Republic, Denmark, Estonia (where information about identity theft crimes is available on the website of the police, to which these incidents must be reported), France (where awareness campaigns have been carried out by French banks and other non-governmental organisations), Germany, Greece, Japan (where the National Police Agency provides users with consultation services about Internet safety and security, and where there are many other informative sites), Lithuania, Luxembourg (where competent public authorities carry out informative sessions about identity theft risks at schools), Malta, The Netherlands, Romania, Russia (where there are informative sites of regional police offices and of other public and private entities), Spain (where, in addition, an Online Fraud Repository is available), Sweden and the United Kingdom. These sites can play a crucial role in ensuring that consumers are made aware of identity theft risks and of appropriate follow-up mechanisms. 8.4.5 Cross-border collaboration and international reporting mechanisms Transcending the strictly national perspective, it has to be highlighted that national reporting mechanisms (and subsequent actions) should ideally be coordinated at the European and international level. This coordination should allow the exchange of general identity-related information (eg, characteristics of official ID documents, where to find competent authorities) and should facilitate cross-border investigations. In terms of the exchange of identity-related information, there are sites that disseminate information about official ID documents with the aim of providing authorities and citizens with useful information about national ID cards and of providing them with the opportunity to verify the identity of people they have to deal with. This is precisely the scope of the PRADO system (‘Public Register of Authentic Identity and Travel Documents Online’), which is a website with information about the security features of identity documents of countries within the European Union and the European Economic Area. The system is managed by the Council of Europe and is based on the European Image-Archiving System FADO (‘False and Authentic Documents Online’), created by the Council Joint Action 98/700/JHA of 3 December 1998.89 Such European initiatives are also reflected in national tools, such as in Belgium, where citizens can verify whether Belgian identity documents (passport, identity card, residence permit with chip) are valid or not through the website checkdoc.be. European initiatives are also pivotal as regards the exchange of data between national authorities. The information gathered through national reporting mechanisms, given the frequent transnational nature of cybercrime, will often need to be exchanged among law 89 As of 28 January 2011, available at: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:1998:333:0004:0007:EN:PDF 112 RAND Europe & time-lex Chapter 8 Analysis of country summaries and recommendations enforcement agencies: this is the aim of the recently established European Cybercrime Platform (ECCP), managed by Europol, which would act as an information hub, analysing and exchanging with national law enforcement authorities information relating to cybercrime falling under Europol’s mandate. ECCP will be complemented by national Cybercrime Alert Platforms that collect information to be shared: according to available data almost all Member States have established national alert platforms, while Europol is working on its EU Cybercrime Platform. In practice, the tool implies that national platforms receive citizens’ reports about illicit content or behaviour detected on the Internet and that Europol’s EU Cybercrime Platform receives law enforcement authorities’ reports on serious cross-border cybercrime.90 Identity theft reporting mechanisms could thus conceivably ‘plug in’ to generic national cybercrime platforms, or even directly into the EU-level platform. The relevance of supra-national initiatives such as ECCP can be fully understood if one considers that identity theft often is perpetrated by international criminal organisations in the framework of illegal activities such as fraud, terrorism, human trafficking, etc. All these serious threats to individual and collective freedoms and security need to be tackled from a (at least) European perspective: this is underlined in the EU strategy document ‘The prevention and control of organised crime: a strategy for the beginning of the new millennium’,91 implemented inter alia by the Council Decision 2001/427/JHA of 28 May 200192 that sets up a European Crime Prevention Network. A role in the field is also played by the Multidisciplinary Group on Organised Crime that has the task of coordinating and developing the strategic concept of the European Council in fighting organised crime (as emerged from the results of the Seminar on Organised Crime held in The Hague on 10 and 11 June 2004).93 90 For further information see (as of 28 January 2011): http://europa.eu/rapid/pressReleasesAction.do?reference=MEMO/10/349&format=HTML&aged=0&languag e=EN&guiLanguage=en 91 Official Journal C 124 of 3/5/2000 92 As of 28 January 2011, available at: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32001D0427:EN:HTML 93 See (as of 28 January 2011): http://register.consilium.europa.eu/pdf/en/04/st13/st13463-re02.en04.pdf 113 CHAPTER 9 9.1.1 Conclusions and recommendations Key findings Looking at the legislation identified in the country reports, it is clear that only a minority of countries presently have enacted specific identity theft legislation. Traditional provisions, notably with respect to fraud, forgery, and cybercrime, are generally applied to address identity theft instances. Based on the case law presented, it is not evident that this lack of specific regulations presents significant difficulties in practice: appropriate criminal classifications were found to exist for each of the five chosen scenarios in each of the examined countries. While actual case law is not as prevalent as could have been hoped for, it nonetheless showed that traditional legal qualifications (notably fraud) are commonly applied to instances of identity theft. Thus, the country reports do not support a notion that there is a clear legal vacuum to be filled in order to be able to effectively combat identity theft. The reports also highlighted that there is a significant disparity in the qualifications and sanctions applied in each case. Partially this can be explained by the differences in case details, but it is certainly also the result of the conscious policy choice to leave the determination of appropriate sanctions to specific crimes as a part of Member State autonomy. As such, this is not an issue unique to identity theft. The viability of establishing a common EU wide concept of identity theft and/or a common punishment policy depends largely on whether or not the threshold of subsidiarity which enables European policy intervention can be addressed. Policy intervention may be more clearly warranted if unacceptable inconsistencies between national laws or policies would be identified that risk overburdening the courts or law enforcement bodies of some Member States due to the inaction of their neighbours, or due to the inability to effectively address identity theft in the absence of joint EU level intervention. The current report does not directly support that there is a universal need for EU action, since no instances have been identified where an act of identity theft as described in Chapters 1 and 2 of this report could not be punished at the national level. When considering EU level intervention, it is important to acknowledge and consider the challenges in proposing such a common concept of identity theft, including notably what activities the concept really aims to criminalise, which (if any) unintended side effects may occur on the basis of proposed definitions, and how new proposals might relate to existing laws, including the evolving European Legal Framework for Privacy and Data Protection and cybercrime regulations such as the aforementioned Framework Decision on Attacks Against Information Systems and the Council of Europe Convention on Cybercrime. 114 RAND Europe & time-lex Chapter 9 Conclusions and recommendations With respect to reporting mechanisms, the analysis above shows that while many of the examined countries have implemented them in some form or other, their scope and function varies quite widely. Currently, the spectrum includes sites focusing on identity theft, on cybercrime in general, and on any crime; sites that offer online reporting or that only support offline reports; sites operated by private parties and sites operated by public authorities; and sites that can be used to initiate criminal investigations or that only provide recommendations and tips to victims. Generally, the interactivity of these sites is still quite limited in the sense that reporting individuals are not typically informed of how their reports will be treated, and the cross-border dimension of many identity theft incidents is still largely not addressed by the reporting mechanisms, which do not allow reports to be transmitted to investigative authorities in other Member States. Thus, there is certainly still room for improvement on this point, especially considering that the reporting mechanisms could also be used as a useful data collection tool, which could contribute to the emergence of a common understanding of identity theft and its prevalence at the EU level. 9.1.2 Conclusions with respect to legislation The analysis above shows that there is currently no homogenous approach to the topic of identity theft as such among EU Member States, but that all of them have similar (or only partially divergent) rules in the field of fraud, forgery, data protection, etc. Collectively these may well prove to be adequate to address identity theft in practice, considering that preparatory acts to identity theft (collecting and trading identity information or documents) will normally run foul of data protection laws, and that subsequent uses of such material will fall under one of the other classifications examined above. From the practical perspective, then, the need for new criminalising regulations is not evident based on the observations above. However, it should be acknowledged that certain weaknesses still exist in the current regulatory framework with respect to identity theft, notably: • The fact that there appears to be no consensus on the existence of any regulatory vacuum; while the French example demonstrates that there is at least one Member State that feels that there is a gap to be filled, this perception is not necessarily shared by other Member States. • The fact that other possibly applicable provisions (notably including fraud, forgery, and their computer-related variations) are not fully harmonised. While this is a conscious policy choice made by existing initiatives which intended to bring these regulations closely together but not make them fully identical, it may have the side effect of making some instances of identity theft illegal in some Member States and not in others. • The fact that the theoretical safety net provided by data protection regulations depends on the existence of effective enforcement strategies in the Member States, and that such enforcement strategies are certainly not standard practice. Thus, while no clear regulatory gap is evident from the examined evidence, this issue largely depends on how identity theft is identified, and how broadly one wishes to criminalise specific behaviour, especially in the absence of harm to the victim and outside 115 RAND Europe & time-lex Chapter 9 Conclusions and recommendations the context of existing crimes. The examples examined above (eg, the French regulation) may not be universally supported by all Member States, given the relatively broad wording that may lead to diverging interpretations. As a result, it may prove to be challenging to find an agreement between the Member States on the definition and limits of any new identity theft offence. EU initiatives in this area should thus duly consider what activities they really aim to address, which (if any) unintended side effects may occur on the basis of proposed definitions, and how new proposals relate to existing laws, including the Data Protection Directive and cybercrime regulations such as the aforementioned Framework Decision on Attacks Against Information Systems and the Council of Europe Convention on Cybercrime. 9.1.3 Conclusions with respect to case law It is clear that the case law presented in the country reports represents only a single data point for each country (as it was collected via a single correspondent), and therefore that it should not be considered as comprehensive. The main conclusion is that appropriate criminal classifications exist for each of the five chosen scenarios in each of the examined countries. Actual case law is less prevalent, but when available, it shows that traditional legal qualifications (notably fraud) are the typical response to incidents of identity theft. Thus, the country reports do not support the contention that there is a clear legal vacuum to be filled in order to be able to combat identity theft. It is also clear, however, that there is a significant disparity in the sanctions applied in each case, but as has already been noted above, this is the result of both the differences in case details and of the conscious policy choice to leave this autonomy to the Member States; thus, it is not a challenge unique to identity theft. 9.1.4 Conclusions with respect to reporting mechanisms It seems that a many of countries covered by the present study have adopted online tools to allow victims (and/or witnesses) to report crimes in general and in a smaller number of instances, identity theft incidents. In many jurisdictions, as pointed out above, it is not possible to report identity theft cases if they cannot be qualified as crimes of if they do not violate data protection legislation. However, based on the analysis of the five scenarios used in the country reports, in most cases identity theft incidents are likely to be qualified either as criminal offences or as privacy violations. The spectrum of possibilities offered by the jurisdictions analysed in this Study is very wide, and it ranges from online ad hoc identity theft reporting mechanisms to an absolute absence of reporting mechanisms and to websites focusing on cybercrime, identity theft or fraud in general. In the middle of this spectrum, we encountered opportunities to report offline identity theft incidents via dedicated channels (The Netherlands), to report online crimes to the competent law enforcement agencies and/or to the competent privacy/telecommunications authority, and to report offences to the abovementioned authorities exclusively offline (the Czech Republic, where, however, there exist dedicated informative sites). It should also be acknowledged that in some countries, like Denmark, private bodies with an existing business relationship with the victims (in this case banks) can play a strong complementary 116 RAND Europe & time-lex Chapter 9 Conclusions and recommendations role by collecting reports about identity theft incidents and forwarding them to the competent authorities. Every system has its strengths and its weaknesses. In general, however, from a good practice dissemination perspective it would seem advisable that each country should establish at a minimum a single online reporting mechanism where identity theft incidents can be reported. This can be either a dedicated identity theft reporting site, or a more generic incident reporting site; in the latter case it would be advisable to ensure that victims (or simply concerned citizens) can find sufficient information on identity theft threats and appropriate follow-up actions on their part. The effort of the public authorities in Luxembourg to educate pupils at school about these issues is an interesting example of a proactive approach. Citizens who know the risks are of course the first, and best, defence against fraudsters and other online criminals. From a more prospective perspective, it is worth noting that only one of the examined reporting sites (namely the Dutch one) triggers two-way communications by allowing the victim to stay informed about the follow-up given to a specific report (if any). In the Netherlands, tri-weekly update reports are made available to the victim (although this does not appear to involve the reporting website as such). Such two-way communication facilities can be considered a good practice, to remove the ‘black box’ impression that most current reporting mechanisms have: once a complaint is filed, it is often unclear to the reporting individual what follow-up (if any) is given to the complaint. A second and more obvious observation is the need to ensure the proper integration of these national reporting mechanisms into a European-level system to facilitate cross border investigations. The establishment of a single EU-level reporting site might be a worthwhile avenue for exploration, as would the use at the national level of harmonised reporting forms/questions, which would further facilitate cross-border investigations. Finally, the frequent use of such reporting mechanisms would also support the more systematic collection of statistical data on identity theft, including the prevalence of specific categories of identity theft, their consequences to the victim, and possibly the outcome of any investigations. Such data is now largely unavailable at the national level, and largely incomparable at the European level even when it exists. Improving the availability of statistical data would improve awareness of identity theft risks, increase know-how, and facilitate policymaking at the national and European level, if implemented in a sufficiently homogeneous way across the Member States. 9.2 Recommendations This then brings us to the problem of where best to intervene at the EU level, since the cross-border potential of these forms of misuse (especially where identity theft and identity-related crimes are linked to organised crime, money laundering or terrorism) requires concerted action amongst Member States but also at the EU level, and even internationally. The complexities of bringing into force a single pan-European instrument are not insignificant, primarily because this would require a common understanding of the scope of the concept of identity theft. As Chapter 1 shows, a generally agreeable definition of 117 RAND Europe & time-lex Chapter 9 Conclusions and recommendations identity theft remains elusive amongst practitioners, experts and academics. It seems that many on the front line take the view that ‘we know identity theft when we see it’ but of course this approach has its limits: whilst it may be sufficient for police and operational level coordination, cross-border cases require a rather clearer understanding. Nonetheless, the evidence presented in this report suggests that key policy priorities should revolve around the sharing of best practices and improving communication. The examined scenarios in the country reports generally do not indicate that there is a clear legal vacuum to be filled, nor do the comments provided by the correspondents or the analysis above. Obviously, however, the question of the existence of any regulatory vacuum depends on how one chooses to define identity theft; thus, the emergence of a common understanding of this concept might also clarify if any gap exists. On the basis of existing regulations, policies and case law, there does not appear to be a universal perception among the Member States that there is such a regulatory vacuum to be filled. In contrast, the improvement of communication is a recurring theme, which applies both to exchanges between victim/investigator, and between investigators in different Member States. Setting up ‘one-stop shops’ is a key part of the solution, as these allow identity victims to more easily report identity crimes, and can also act as a communications device to enable investigators to keep the victims updated on the status of specific investigations. Indeed, such an approach is reflected in the Stockholm Programme where the European Commission was invited to take measures to enhance/improve public-private partnerships. A second pivotal point is the collaboration between national investigative bodies through an EU contact network, as is foreseen in Council Framework Decision 2005/222/JHA, at least for electronic identity theft, and in the Council Conclusions of March 2010 on implementing a concerted strategy to combat cybercrime, which envisages a variety of softer measures such as: • The consolidation and if necessary updating of the functions of the European Cybercrime Platform (subsequently elaborated in the remit of Europol’s European Cybercrime Task Force and the Internet Crime Reporting Online System (ICROS). • Foreseeing a permanent liaison body with user and victim organisations and the private sector. These should facilitate interactions at the European level, which would improve the effectiveness of European-scale investigations, with the additional benefit that such experiences could be extended to other categories of criminal investigations. Further down the road, it is equally important to extend this approach to other countries (as foreseen in the Convention on Cybercrime), which will require renewed policy attention on this point. Finally, identity theft also clearly faces the challenge of policy priority. This is not a matter of putting in place suitable legislation (which law applies) or addressing operational challenges (who to talk to in international investigations), but simply a matter of prioritisation: which cases of identity theft and fraud are worth investigating and prosecuting? The question is not trivial. Especially in international cases with an Internet component (eg, creation of false identities to enable fraud), investigations can be complex 118 RAND Europe & time-lex Chapter 9 Conclusions and recommendations and very time consuming, and as a consequence also very expensive. The country reports identified several instances where cases were not followed up, simply because of a real or perceived disproportion between the harm suffered by the victim and the resources required to take action (especially considering the uncertainty of the outcome beforehand). This is, however, a challenge that applies to most categories of international crime, especially those conducted via the Internet, where traces are often easier to hide by a skilled criminal. Here, too, a common position needs to be found at the international level, since differences in investigation and prosecution priorities between countries will only lead to investigations in one country being blocked if they are not considered important enough to investigators in a different country. Based on this approach, reporting of identity theft incidents could be improved, as could the follow-up of complaints and the effectiveness of international investigations. Our study illustrates that at the national level, despite the absence of a single pan European instrument governing identity theft, there is little evidence of significant gaps in legislative responses to identity theft incidents. However, there remain a number of challenges in respect of implementation and interpretation of existing legal frameworks with respect to identity theft and identity related crime, most notably the applicability of existing rules with respect to e.g. fraud or forgery to such incidents, and the disparities observed in nonlegal responses (e.g. presence of and efficacy of reporting points, awareness campaigns and so on). Arguably, as the UNDOC report illustrates, such non-legal responses may be considered a more effective route to addressing these forms of misuse.94 In large part, this is a question of reducing the opportunity for identity theft and identity related crime in the first instance, by governments acknowledging the limits of their own responsibility and putting in place effective educative and awareness raising tools to encourage individuals to take responsibility.95 In effect, policy focus in this area may be better served on the basis of ‘helping people to help themselves’, whilst noting the specific opportunities for public policy intervention (e.g. in strengthening identity infrastructures). If any further European intervention would be considered to improve the effectiveness of national or European responses to identity theft, the evidence suggests of this stock taking study suggests that (a) non-legal responses should be a large priority of any policy approach rather than focusing on the definition of a new subtype of crime; (b) that there is currently no common understanding of the notion of ‘identity theft’ which will make the drafting of a clear common definition extremely challenging; and (c) that there is a substantial risk of overlap with existing criminal provisions, notably with respect to fraud and/or forgery, when attempting to define new crimes. Ensuring consistency in national criminal law enforcement is therefore of paramount importance. Based on these observations, any regulatory initiatives aiming to introduce new criminal concepts into national criminal law should undergo a formal regulatory impact assessment to determine if/how these issues can be addressed in a satisfactory manner. 94 Chryssikos et al. (2008), p.93 95 Felson, M. and Clarke, R.V (1998) 119 RAND Europe & time-lex Chapter 9 Conclusions and recommendations 120 REFERENCES 121 RAND Europe National Profiles Reference List Australian Bureau of Statistics (2008), ‘Personal Fraud: Nearly $1 billion dollars lost to Personal Fraud in Australia,’ press release citing the Personal Fraud 2007 study (cat. no. 4528.0). As of 28 January 2011: http://www.abs.gov.au/ausstats/[email protected]/Products/4500.0~2008~Main+Features~Crime? Canadian Department of Justice, ‘Identity Theft: Consultation on Proposals to Amend the Criminal Code,’ Criminal Law Policy Section, June 2006. [Cited in Sproule and Archer (2007)] Choo, K-K.R., R.G. Smith & R. McCusker (2007), ‘Future directions in technologyenabled crime: 2007–09,’ Australian Government, Australian Institute of Criminology. Chryssikos, D., N. Passas, & C.D. Ram (eds.) (2008), ‘The evolving challenge of identity related crime: addressing fraud and the criminal misuse and falsification of identity,’ International Scientific and Professional Advisory Council of the United Nations Crime Prevention and Criminal Justice Programme (ISPAC), Milan. CIFAS (2010), ‘2009 Fraud Trends,’ press release. As of 28 January 2011: http://www.cifas.org.uk/default.asp?edit_id=969-57 CIMAP (2007), Identity Fraud Trends and Patterns: Building a Data-Based Foundation for Proactive Enforcement, Utica. Clark, R. (1994), ‘Human Identification in Information Systems: Management Challenges and Public Policy Issues,’ Information Technology and People 7:6–37. As of 28 January 2011: http://www.rogerclarke.com/DV/HumanID.html Collins, J.M. (2003), ‘Business Identity Theft: The Latest Twist,’ Journal of Forensic Accounting 1524–5586/Vol. IV:302–06. As of 28 January 2011: http://www.auditnet.org/articles/jfa-collins.pdf Collins, J.M. (2005), ‘Preventing Identity Theft in Your Business.’ Hoboken, NJ: John Wiley and Sons. Cybertrust and Crime Prevention (2004): Gaining Insights from Three Different Futures Final Report to the Foresight Directorate, UK Office of Science and Technology, 10 June 2004 available at http://www.foresight.gov.uk CTCP Dutch Ministry of Justice (2003), Hoofdlijnen kabinetsbeleid fraudebestrijding 2003–2007. 122 RAND Europe Reference List Felson, M. and Clarke, R.V.(1998), ‘Opportunity Makes the Thief: Practical theory for crime prevention,’ Webb, B (ed); Policing and Reducing Crime Unit Police Research Series Paper 98; Home Office; Research and Statistics Directorate; London FIDIS, 2006, ‘D5.2b: ID-related Crime: Towards a Common Ground for Interdisciplinary Research,’ R. Leenes (ed.). As of 28 January 2011, available at: www.fidis.net FIDIS, 2009, ‘D3.17: Identity Management Systems – recent developments.’ M. Meints & H. Zwingelberg (eds.). As of 28 January 2011, available at: www.fidis.net Fraud Prevention Expert Group (FPEG) (2007), ‘Report on Identity Theft/Fraud.’ As of 28 January 2011: http://ec.europa.eu/internal_market/fpeg/docs/id-theft-report_en.pdf Gercke (2007), ‘Internet-related identity theft: A discussion paper prepared by Marco Gercke (Germany)’ Council of Europe; Strasbourg as at 25 January 2011: http://www.itu.int/osg/csd/cybersecurity/WSIS/3rd_meeting_docs/contributions/Internet _related_identity_theft_%20Marco_Gercke.pdf Gordon, G.R., N.A. Willox, D.J. Rebovich, T.M. Regan & J. B. Gordon (2004), ‘Identity Fraud: A Critical National and Global Threat,’ Journal of Economic Crime Management 2:1–47. Grijpink, J.H.A.M. (2003), ‘Identiteitsfraude als uitdagiing voor de rechtstaat [Identity Fraud as a Challenge to the Rule of Law],’ Privacy & Informatie, 148. IAAC (2009), ‘Identity Assurance Concluding Report 2009’ Information Assurance Advisory Council, Swindon As of 26 January 2011: http://www.iaac.org.uk/research/concluding_rpt.html Javelin (2005), ‘2005 Identity Fraud Survey Report (Complimentary Overview),’ Javelin Strategy & Research, Pleasanton, CA. [Cited in Sproule and Archer (2007)] Javelin (2009), ‘2009 Identity Fraud Survey Report (Complimentary Overview)’, Javelin Strategy & Research, Pleasanton, CA Knopjes, F. (2009), European Identity Systems: A Comparative Study, Lisbon. Koops, B.J. & R. Leenes (2006), ‘Identity Theft, Identity Fraud, and/or Identity-related Crimes.’ Datenschuts und Datensicherheit 30/9:553–56. Lacey, D. & S. Cuganesan (2004), ‘The Role of Organizations in Identity Theft Response: The Organization-Individual Victim Dynamic,’ The Journal of Consumer Affairs 38:244– 61. Liberty Alliance Project (2005), ‘Liberty Alliance Whitepaper: Identity Theft Primer.’ As of 28 January 2011: http://www.projectliberty.org/liberty/content/download/376/2687/file/id_theft_primer_fi nal.pdf Mitchison, N., M. Wilikens, L. Breitenbach, R. Urry, & S. Portesi (2004), ‘Identity Theft – A discussion paper.’ Italy: European Commission, Directorate-General, Joint Research Centre. 123 RAND Europe Reference List Morris, S. (2004), ‘The Future of Netcrime Now,’ UK Home Office Online Report 62/04. As of 28 January 2011: http://rds.homeoffice.gov.uk/rds/pdfs04/rdsolr6204.pdf Neumann, P.G. (1997), ‘The Social Security Internet Website: Technology and Privacy Implications’ as of 28 January 2011: http://www.csl.sri.com/users/neumann/ssa.html Newman, G.R. & M.M. McNally (2005), ‘Identity Theft Literature Review,’ vol. Document No. 210459, U.S. Department of Justice. Cave, J., Oranje, C., Schindler, H.R., Shehabi, A., Bruscher, P-B., Robinson, N. (2010) Trends in connectivity technologies and their socioeconomic impacts: Final report of the study: Policy Options for the Ubiquitous Internet Society; TR-776-EC; Santa Monica, RAND Organisation for Economic Co-Operation and Development (OECD) (2008), ‘OECD Policy Guidance on Online Identity Theft’. Organisation for Economic Co-Operation and Development (OECD) (2009), ‘Online Identity Theft.’ As of 28 January 2011: http://browse.oecdbookshop.org/oecd/pdfs/browseit/9309021E.PDF Olsen, E. (2002), ‘Personal Identity’ in The Stanford Encyclopaedia of Philosophy, ed. E.N. Zalta, Stanford, USA. As of 28 January 2011: http://plato.stanford.edu/entries/identitypersonal/ Perl, M. (2003), ‘It’s Not Always About the Money: Why the State Identity Theft Laws Fail To Adequately Address Criminal Record Identity Theft,’ Journal of Criminal Law and Criminology Fall 2003:169–208. Romanosky, S. et al. (2008), Do Security Breach Laws Reduce Identity Theft?, Heinz First Research Paper. Savona, E.U. & M. Migone (2004), ‘The Fox and The Hunters: How IC Technologies Change the Crime Race,’ European Journal on Criminal Policy and Research 10:3–26. Schneier, B. (2004), ‘Mitigating Identity Theft.’ As of 28 January 2011: http://bt.counterpane.com/identity-theft.html Sproule, S. & N. Archer (2007), ‘Defining Identity Theft,’ Paper presented at the Eighth World Congress on the Management of eBusiness (WCMeB 2007), 11–13 July 2007. As of 28 January 2011: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&isNumber=4285291&arnumber=4285319 UK Cabinet Office (2002), ‘ID Fraud: A Study,’ London. World Privacy Forum (2006), ‘Medical Identity Theft: The Information Crime that Can Kill You.’ As of 28 January 2011: http://www.worldprivacyforum.org/pdf/wpf_medicalidtheft2006.pdf 124 RAND Europe National Profiles APPENDICES 125 RAND Europe National Profiles Appendix 1: National Profiles Table A.1: List of correspondents Country Correspondent Australia James Forsaith, RAND Europe Austria Dr Max W. Mosing LLM LLM Attorney At Law / Partner Gassauer Fleissner Rechtsanwälte GmbH Belgium Hans Graux, time.lex Law Offices Bulgaria George Dimitrov, Dimitrov, Petrov & Co Law Offices Canada Lisa Klautzer, RAND Corporation, Santa Monica China Dr Prof Hong Xue, Director of the Institute for the Internet Policy & Law, Beijing Normal University Cyprus Olga Georgiades, Lexact Business & Legal Solutions Czech Republic Tomas Schollaert, Kines Law Offices Denmark Dr Henrik Udsen, University of Copenhagen Estonia Evelin Pärn-Lee, Sorainen Law Offices Finland Juhani Siira, Sorainen Law Offices France Fanny Coudert, time.lex Law Offices Germany Christoph Fey, Unverzagt-von Have Law Offices Greece Eleni Kosta, time.lex Law Offices Hungary Dr András Gerencsér India Dr Ponnurangam Kumaraguru, Assistant Professor, Indraprastha Institute of Information Technology, Delhi Ireland Prof Maeve McDonagh and Dr Fidelma White, University College Cork Italy Dr Gianluca Ansalone Japan Prof Yoshifuma Okada, Assistant Professor, Senshu University, Tokyo Latvia Agris Repss and Inese Rendeniece, Sorainen Law Offices 126 RAND Europe National Profiles Lithuania Sergejs Trofimovs and Renata Beržanskienė, Sorainen Law Offices Luxembourg Claire Léonelli, Molitor, Fisch & Associés Law Offices Malta Paul Gonzi and Antonio Ghio, Fenech and Fenech Law Offices The Netherlands Isa Dora Tytgat, time.lex Law Offices Poland Dr Dariusz Adamski, University of Wrocław Portugal Dr Pedro Simões Dias Romania Peter Buzescu, Buzescu Ca. Law Offices Russian Federation Stanislav Semiletov, RANS Slovakia Zuzana Halásová Slovenia Dr Alenka Žužek Nemec, Dept. of International Relations, Ministry of Public Administration Spain Cristina De Lorenzo, Sánchez Pintado & Núñez Law Offices Sweden Prof Christine Kirchberger, Swedish Law and Informatics Research Institute, University of Stockholm United Kingdom Prof Michael Levi, University of Cardiff United States Lisa Klautzer, RAND Corporation, Santa Monica Scope and Structure of the National Profiles The national profiles should provide a clear and concise overview of laws that could apply to identity theft crimes, an indication of how they are applied in practice, and the existence of any reporting mechanisms (such as websites). For the purposes of the national profiles, identity theft is defined as any action in which a party acquires, transfers, possesses, or uses personal information of a natural or legal person in an unauthorised manner, with the intent to commit, or in connection with, fraud or other crimes.96 Key elements include: • • 96 malicious intent: the perpetrator has to act with the intent of committing criminal actions (after taking on the identity of the victim) consciously: the perpetrator has to intentionally (knowingly) take on the ‘false’ identity OECD (2008) 127 RAND Europe • • • • National Profiles create a semblance: any form that tricks a third party in believing that the perpetrator is indeed the victim is included another one’s identity: the use of one’s own identity is not ID fraud using: only actual use, not merely possession, of the acquired identity is what constitutes fraud existing or non-existing: identities of both living and dead, existing or fictitious identities can be used. By way of example, the following incidents are considered instances of identity theft: • • • • • • • • Phishing, ie, using emails and/or falsified websites to trick users into giving up identity information (eg, bank account numbers or passwords) Abuse/forgery of identity documents (eg, creating false passports) Spyware used to obtain identity information (eg, installing a computer programme that records which usernames and passwords are used and communicates these to a hacker) Electronic communication interception (eg, logging email exchanges with the intent to use them for fraud) Phone and email scams in which the perpetrator uses a false identity Trafficking in personal information (eg, selling databases of credit card numbers; Falsifying signatures on a legal document) Skimming (ie, using a credit card reader (skimmer) to swipe and store credit card numbers without the victim’s knowledge). The following sections in relation to identity theft are expected to be included in each national profile: - - - - Applicable laws: in this section, the correspondent will be asked to identify the main laws which apply to identity theft incidents in his/her country. Given the very broad scope of the identity theft concept, the emphasis will be on identifying any laws that were explicitly created to define identity theft (which may not exist in all countries) and on a specific selection of commonly applicable laws, as will be identified below. References to the laws must be provided, along with a short summary of the applicable provisions. Application in practice: a short overview should be provided of how these laws are applied in practice, on the basis of a short selection of identity theft incidents. If specific case law is available, the correspondents are requested to provide references and summaries; if not, then an indication of whether they consider specific laws to be applicable will be sufficient. ID theft reporting mechanisms: the correspondent should identify any existing or planned reporting mechanisms (websites) such as one-stop shops, hotlines or portals. Particular attention is to be directed to identify the existence of one-stop shops dedicated exclusively to identity theft; however, websites focusing on cybercrime or fraud in general may be reported as well if they also partially cover identity theft. Assessment: finally, the correspondent is asked to provide his/her personal appreciation of the national situation. 128 RAND Europe National Profiles National correspondents are required to maintain the structure outlined above, and may not omit or disregard any sections. The exact contents will be covered in further detail below. The expected total size of each profile is 4 to 8 pages. Relevant sources and references The national correspondents are requested to include references to the sources that they have consulted, in particular online sources (when available) and any consulted contact persons (if applicable). A useful starting point for some countries may be the FIDIS Identity Law survey (see https://idls.rechten.uvt.nl/), although it should be noted that this information is not comprehensive (not all countries are covered) and not necessarily up to date. Whenever referring to national legislation or institutions, the correspondents are required to provide the local name as well as an English language translation. 129 RAND Europe National Profiles Australia Laws focusing explicitly on ID theft Australia does not have a federal law that specifically criminalises ‘identity theft’, although a bill to that effect is before the federal parliament. This bill would introduce a new Part 9.5 ‘Identity crime’ into the Commonwealth Criminal Code. Although the bill is not yet federal law, mirror legislation has been adopted by several Australian states and it is therefore useful to summarise its main features. Law criminalising ID theft (bill before federal Parliament) Relevant law Law and Justice Legislation Amendment (Identity Crimes and Other Measures) Bill 2008 Reference http://www.comlaw.gov.au/ComLaw/legislation/bills1.nsf/0/97 D036F315B0268CCA257514001EE613/$file/R4020B.pdf Main provisions in The bill would introduce the following three offences: relation to ID theft • Dealing in identification information. information A person (the first person) commits an offence if: (a) the first person deals in identification information; and (b) the first person intends that any person (the user) (whether or not the first person) will use the identification information to pretend to be, or to pass the user off as, another person (whether living, dead, real or fictitious) for the purpose of: (i) committing an offence; or (ii) facilitating the commission of an offence; and (c) the offence referred to in paragraph (b) is an indictable offence against a law of the Commonwealth. • Possession of identification information. information A person (the first person) commits an offence if: (a) the first person possesses identification information; and (b) the first person intends that any person (whether or not the first person) will use the identification information to engage in conduct; and (c) the conduct referred to in paragraph (b) constitutes an [indictable offence against a law of the Commonwealth]. • Possession of equipment used to make identification documentation. documentation A person (the first person) commits an offence if: (a) the first person possesses equipment; and (b) the first person intends that any person (whether or not the first person) will use the equipment to make identification documentation; and (c) the first person 130 RAND Europe National Profiles intends that any person (whether or not referred to in paragraph (b)) will use the identification documentation to engage in conduct; and (d) the conduct referred to in paragraph (c) constitutes an [indictable offence against a law of the Commonwealth]. Prescribed sanction Imprisonment for: 5 years (dealing in identification information); 3 years (possession of identification information); 3 years (possession of equipment). This federal bill followed a nation-wide consultation process that resulted, in March 2008, in a report on Identity Crime by the Model Criminal Law Officers’ Committee of the Standing Committee of Attorneys-General, a body representing the Attorneys-General of the Commonwealth and all States and Territories.97 The purpose of the three specific offences, in the Committee’s own words, is to ‘comprehensively cover identity fraud and identity theft’. However, due to Australia’s constitutional division of powers, the federal bill implementing these is expressed to apply only to Commonwealth predicate offences, ie, it would not criminalise the conduct in question if the person’s intention related only to the commission of state and territory offences. The then Federal Minister for Home Affairs, Bob Debus, therefore recommended, when the bill was introduced, that state and territory governments pass mirror legislation. Whereas the federal legislation still has not been passed by Parliament, most Australian states have now enacted specific identity theft crimes. South Australia and Queensland took this step before the introduction of the federal bill; other states of done so subsequently. The situation at state and territory level is as follows: South Australia was the first Australian jurisdiction to criminalise identity theft, in 2003, by inserting Part 5A ‘Identity theft’ into the Criminal Law Consolidation Act 1935.98 This provides for three offences • • False identity etc. etc A person who (a) assumes a false identity; or (b) falsely pretends (i) to have particular qualifications; or (ii) to have, or to be entitled to act in, a particular capacity, makes a false pretence to which this section applies. A person who makes a false pretence to which this section applies intending, by doing so, to commit, or facilitate the commission of, a serious criminal offence is guilty of an offence and liable to the penalty appropriate to an attempt to commit the serious criminal offence. Misuse of personal identification information. information A person who makes use of another person's personal identification information intending, by doing so, to commit, or facilitate the commission of, a serious criminal offence, is guilty of an 97 http://www.scag.gov.au/lawlink/SCAG/ll_scag.nsf/vwFiles/MCLOC_MCC_Chapter_3_Identity_Crime__Final_Report_-_PDF.pdf/$file/MCLOC_MCC_Chapter_3_Identity_Crime_-_Final_Report_-_PDF.pdf 98 http://www.legislation.sa.gov.au/lz/c/a/criminal%20law%20consolidation%20act%201935/current/ 1935.2252.un.pdf 131 RAND Europe • National Profiles offence and liable to the penalty appropriate to an attempt to commit the serious criminal offence. Prohibited material. material Prohibited material means anything (including personal identification information) that enables a person to assume a false identity or to exercise a right of ownership that belongs to someone else to funds, credit, information or any other financial or nonfinancial benefit. A person who (a) produces prohibited material; or (b) has possession of prohibited material, intending to use the material, or to enable another person to use the material, for a criminal purpose is guilty of an offence. Maximum penalty: Imprisonment for 3 years. A person who sells (or offers for sale) or gives (or offers to give) prohibited material to another person, knowing that the other person is likely to use the material for a criminal purpose is guilty of an offence. Maximum penalty: Imprisonment for 3 years. A person who is in possession of equipment for making prohibited material intending to use it to commit an offence against this section is guilty of an offence. Maximum penalty: Imprisonment for 3 years. In 2007, Queensland inserted section 408D into its Criminal Code: Obtaining or dealing with identification information. information 99 A person who obtains or deals with another entity’s identification information for the purpose of committing, or facilitating the commission of, an indictable offence commits a misdemeanour. Maximum penalty: 3 years imprisonment. More recently, three other states have enacted laws based on the recommendations of the Model Criminal Law Officers’ Committee. In Victoria, Victoria the Crimes Act 1958 now includes Part 1 Division 2AA ‘Identity Crime’, in similar terms to the federal bill discussed above.100 In New South Wales, Wales the Crimes Act 1900 now includes Part 4AB ‘Identity offences’, also in similar terms to the federal bill, but with higher penalties (10 years for dealing in identification information; 7 years for possession of identification information; 3 years for possession of equipment).101 Likewise, in Western Australia, Australia the Criminal Code now includes Chapter LI ‘Identity crime’, also in similar terms to the federal bill but with higher penalties.102 The state of Tasmania, the Northern Territory and the Australian Capital Territory have yet to introduce bills focusing specifically on ID theft. Other laws that may apply to ID theft incidents This section focuses on federal legislation only. 99 http://www.legislation.qld.gov.au/legisltn/current/c/crimincode.pdf 100 http://www.legislation.vic.gov.au/domino/Web_Notes/LDMS/LTObject_Store/LTObjSt1.nsf/ DDE300B846EED9C7CA257616000A3571/3EDADA8DAAA93CDCCA257761001C75E4/$FILE/586231a221.pdf 101 http://www.legislation.nsw.gov.au/inforcepdf/1900-40.pdf?id=9c895515-e9c7-4e07-c225-bccc258ccfdd 102 http://www.slp.wa.gov.au/legislation/statutes.nsf/main_mrtitle_218_homepage.html. The provisions are contained in the notes at the end of the Criminal Code, because they have not yet been proclaimed. They will likely enter into force very soon 132 RAND Europe National Profiles Privacy protection and data protection legislation Information privacy Relevant law la w Privacy Act 1988 Reference http://www.comlaw.gov.au/ComLaw/Legislation/ActCompilatio n1.nsf/0/CDFBC6BC359968E4CA257758001791A7?OpenDo cument Main provisions in The Act establishes the office of the Privacy Commissioner, who relation to ID theft conducts investigations and reports on ‘interferences with privacy’, ie, conduct ‘contrary to, or inconsistent with’ privacy principles set out in the act. These principles are not backed with criminal sanctions, however Commonwealth government employees who breach them may incur criminal liability through other means. There are some specific criminal provisions in Part IIIA ‘Credit reporting’ and Part VIA ‘Dealing with personal information in emergencies and disasters’. Prescribed sanction Fines (for credit reporting offences); imprisonment for 1 year (unlawful disclosure of personal information received in an emergency or disaster). Personal financial information Relevant law Criminal Code Part 10.8 Reference http://www.comlaw.gov.au/ComLaw/Legislation/ActCompilation 1.nsf/0/FB4F4790CE87730FCA25777300264F75/$file/Crimina lCode1995_WD02.pdf Main provisions in 480.4: Dishonestly obtaining or dealing in personal financial relation to ID theft information, ie, ‘information relating to a person that may be used … to access funds, credit or other financial benefits.’ 480.5 Possession or control of a thing with intention to commit an offence against 480.4. Prescribed sanction 5 years imprisonment (dishonestly obtaining or dealing); 3 years (possession or control of a thing) Criminal law Fraud Relevant law Criminal Code Part 7.3 ‘Fraudulent conduct’ 133 RAND Europe Reference National Profiles http://www.comlaw.gov.au/ComLaw/Legislation/ActCompilation 1.nsf/0/FB4F4790CE87730FCA25777300264F75/$file/Crimina lCode1995_WD02.pdf Main provisions in 134: Obtaining property and financial advantage by deception are relation to ID theft criminalised, but only where the victim is a Commonwealth entity. Otherwise, there are broadly similar provisions in state and territory laws. Prescribed sanction 10 years imprisonment False and misleading statements Relevant law Criminal Code Part 7.4 ‘False and misleading statements’ Reference http://www.comlaw.gov.au/ComLaw/Legislation/ActCompilation 1.nsf/0/FB4F4790CE87730FCA25777300264F75/$file/Crimina lCode1995_WD02.pdf Main provisions in 136: Making a false or misleading statement in an application to relation to ID theft the Commonwealth, or in relation to a law of the Commonwealth. 137: Giving false or misleading information to the Commonwealth, or in purported compliance with a law of the Commonwealth. Prescribed sanction 12 months imprisonment Forgery Relevant law Criminal Code Part 7.7 ‘Forgery and related offences’ Reference http://www.comlaw.gov.au/ComLaw/Legislation/ActCompilation 1.nsf/0/FB4F4790CE87730FCA25777300264F75/$file/Crimina lCode1995_WD02.pdf Main provisions in relation to ID theft 144: Making a false document with the intent that it will be accepted by the Commonwealth as genuine, thereby dishonestly obtaining a gain, causing a loss or influencing the exercise of a public function of the Commonwealth. Prescribed sanction 10 years imprisonment Postal offences Relevant law Criminal Code Part 10.5 Reference http://www.comlaw.gov.au/ComLaw/Legislation/ActCompilation 1.nsf/0/FB4F4790CE87730FCA25777300264F75/$file/Crimina 134 RAND Europe National Profiles lCode1995_WD02.pdf Main provisions in 471.1: Theft of an article in the course of post. relation to ID theft 471.2: Receiving a stolen article. 471.8: Dishonestly obtaining delivery of an article. Prescribed sanction 10 years imprisonment for theft and receiving; 5 years for dishonestly obtaining. Telecommunications offences Relevant law Criminal Code Part 10.6 Reference http://www.comlaw.gov.au/ComLaw/Legislation/ActCompilation 1.nsf/0/FB4F4790CE87730FCA25777300264F75/$file/Crimina lCode1995_WD02.pdf Main provisions in 474.5: Causing a communication to be received by a person or relation to ID theft carriage service other than the person or service to whom it is directed. Prescribed sanction 10 years imprisonment for theft and receiving; 5 years for dishonestly obtaining. Cybercrime – unauthorised impairment Relevant law Criminal Code Part 10.7 Reference http://www.comlaw.gov.au/ComLaw/Legislation/ActCompilation 1.nsf/0/FB4F4790CE87730FCA25777300264F75/$file/Crimina lCode1995_WD02.pdf Main provisions in 477.2: Unauthorised modification of data stored on a computer, relation to ID theft being reckless as to whether the modification may impair access to—of the reliability of—this data or other data. 477.3: Unauthorised impairment of electronic communication. These offences must involve a telecommunications carriage service or concern Commonwealth computers or data. Prescribed sanction 10 years imprisonment. Cybercrime – spam email (civil penalty provisions) Relevant law Spam Act 2003 Reference http://www.comlaw.gov.au/ComLaw/Legislation/ActCompilation 1.nsf/0/DED153276FD7C6F9CA2570260013908A/$file/Spam 135 RAND Europe National Profiles Act03WD02.pdf Main provisions in 16: Unsolicited commercial electronic messages must not be sent relation to ID theft 17: Commercial electronic messages must include accurate sender information 20, 21, 22: Address-harvesting software must not be supplied, acquired or used Prescribed sanction A range of pecuniary penalties. Opening false accounts Relevant law Financial Transaction Reports Act 1988 Reference http://www.comlaw.gov.au/ComLaw/Legislation/ActCompilation 1.nsf/0/92D9EF651D840A88CA25768F0003B26C/$file/Financ TransReports1988.pdf Main provisions in 24(1): opening an account with a cash dealer (broadly defined to relation to ID theft include financial institutions, casinos, and other businesses) in a false name. Prescribed sanction Not specified in the legislation. Application in Practice There is no reported case law arising under any of the specific identity theft provisions referred to above. Claiming a false identity onon-line (eg, (eg, creating an account on a social networking site such as Facebook under someone else’s name) Applicable law(s) The specific ID theft laws in operation in Australian states, and the proposed federal law, would capture this conduct only if there was also an intention that (or recklessness as to whether) the information would be used to commit a crime. For similar reasons, no other (federal) crimes cover the conduct in question. Case law available? No known case law. Unlawfully using another person’s credentials (eg, (eg, using someone else’s username or password password to send emails emails in his/her name) Applicable law(s) Again, the specific ID theft laws in operation in Australian states, and the proposed federal law, would capture this conduct only if there was also an intention that (or recklessness as to whether) the 136 RAND Europe National Profiles information would be used to commit a crime. If the purpose is commercial then this would constitute an infringement of the Spam Act 2003, attracting civil penalties. Case law available? No known case law. Phishing (using emails emails and/or falsified websites websites to trick users into giving up identity information, eg, to collect enough information to log on to someone else’s bank account) Applicable law(s) Use of the information obtained would constitute ‘dealing in identification information’, whilst merely obtaining it would permit a charge of ‘possession of identification information’. In circumstances where special software or falsified websites were being used, it would be relatively easy for the prosecution to prove the necessary mental element (eg, intention to commit a crime, or recklessness as to the information being used for this purpose). Also, this conduct would constitute ‘obtaining property by deception’ under article 134 of the Criminal Code if directed at a Commonwealth entity. Each state and territory has similar fraud legislation to capture the (vast majority) of cases where the conduct is not directed at a Commonwealth entity. Also, the Spam Act (2003) outlaws the sending of unsolicited commercial emails and the sending of commercial emails with incorrect sender information, as well as the ‘harvesting’ of email addresses form the Internet. Case law available? No known case law. Using spyware to obtain identity information (eg, (eg, installing a computer programme that records which usernames and passwords are used and communicates these to a hacker) Applicable law(s) There is no Australian law specifically targeting spyware (a Spyware Bill was introduced in 2005 but never passed). Again, use of the information obtained would constitute ‘dealing in identification information’, whilst merely obtaining it would permit a charge of ‘possession of identification information’. In circumstances where special software was being used, it would be relatively easy for the prosecution to prove the necessary mental element (eg, intention to commit a crime, or recklessness as to the information being used for this purpose). 137 RAND Europe Case law available? National Profiles No known case law. eg, selling databases of Trafficking in unlawfully obtained personal information ((eg, email addresses to t o email marketeers) Applicable law(s) As with previous scenarios, this would constitute dealing in identification information only if there was also an intention that (or recklessness as to whether) the information would be used to commit a crime. This will not be satisfied merely if the intention was to send unsolicited commercial emails, because the Spam Act 2003 does not criminalise this conduct (it merely provides for civil penalties). If there was a fraudulent element (eg, if the intention was to commit phishing. Case law available? No ID Theft Reporting Mechanisms The Attorney-General’s Department maintains a website on identity security, which contains links to national strategies as well as a publication ‘Dealing with ID Theft’ (http://www.ag.gov.au/identitysecurity). This document, which is aimed at members of the public, explains how identity theft can affect peoples’ lives, allows people to assess their own vulnerability, sets out preventative advice and also provides guidance on what to do in the event of possible identity theft – including relevant points of contact for reporting incidents. The ‘protect your financial identity’ website (http://www.protectfinancialid.org.au/) is a joint initiative of the Australian Bankers Association, the Australian High Tech Crime Centre and the Australian Securities and Investments Commission. It provides numerous fact sheets, including lists of indicators that suggest that identity theft has occurred, and steps to take to report identity theft to relevant authorities. The SCAMwatch website (http://www.scamwatch.gov.au) is maintained by the Australian Competition and Consumer Commission (ACCC). It deals with all types of scams, with one section devoted to identity theft. It also contains a section devoted to reporting scams. This allows members of the public to create a ‘scam report’ (by completing an online form), which then goes to the ACCC. There are also links on this site to other sites, including: • • • The Australian Securities and Investments Commission (financial scams): http://www.fido.gov.au/fido/fido.nsf/byHeadline/Scams%20-%20reporting). The Australian Taxation Office (tax scams): http://www.ato.gov.au/onlineservices/ content.asp?doc=/content/00179605.htm&mnu=47106&mfp=001/010 Various state consumer affairs agencies (local scams). 138 RAND Europe National Profiles The Australian Communications and Media Authority provides an online facility to report spam emails and spam SMS messages (http://www.acma.gov.au/WEB/STANDARD/ pc=PC_310294). Most of these websites also provide preventative advice. Other sources of advice include: • • The ‘stay smart online’ website, maintained by the federal government, which includes videos on ‘protecting yourself from online identity theft’ (http://www.staysmartonline.gov.au/). A related government-sponsored initiative is National Cyber Security Awareness Week. The website of the Privacy Commissioner (http://www.privacy.gov.au/topics/ identity). Personal Assessment of the Framework Combating ID Theft The Australian framework for combating ID theft is necessarily fragmented by the division of powers between the Commonwealth (federal) government and the states, which have residual legislative power in all areas not mentioned by the Commonwealth constitution. It is for this reason that the federal Law and Justice Legislation Amendment (Identity Crimes and Other Measures) Bill 2008 would create ID theft offences which apply only to dealing, possession, etc, for the purpose of committing an indictable offence against a law of the Commonwealth (only). In this regard, the Australian bill differs from the US Identity Theft and Assumption Deterrence Act, which applies to ‘activity... that constitutes a felony under any state or local law’. The scope of many of the other applicable laws is similarly limited. Thus many acts are criminalised at federal level only where they involve Commonwealth laws, property, entities, employees, etc. In some cases, the constitution allows for federal legislation to be phrased more broadly, as with offences of a commercial nature, or those which involve the transmission of information using a ‘telecommunications carriage service’. In general, it should be noted that ‘gaps’ in the federal law are very often covered at state level. For example, fraud in the Commonwealth Criminal Code applies only where the Commonwealth is the victim, but fraud is also criminalised in each state and territory. Whereas the federal ID theft bill of 2008 has still not been passed by Parliament, the five most populous states all now have specific ID theft crimes on the books. Generally, these are not standalone offences; they are based on an intention to commit of facilitate other criminal conduct. In this regard, they add to the inchoate offences already provided for by the common law or by statute, eg, attempting to commit a crime.103 From a law enforcement perspective, they are potentially useful (in broadly the same way as some counter-terrorism laws) because they criminalise conduct at an early stage, before it has gone far enough to constitute an attempt or conspiracy. However, in practice they have not been utilised. There are no cases arising under any of the specific ID theft provisions. This may simply reflect that the laws have not been on the books for very long, although in 103 This view, that the offences resemble inchoate offences in nature, is supported by the fact that in most cases it is specifically provided for that, eg, ‘It is not an offence to attempt to commit an offence against this section’ 139 RAND Europe National Profiles South Australia (albeit a jurisdiction of a little over 1m people) they have gone unused since their introduction in 2003. Another possible explanation is that policing of identity theft remains largely reactive. If this is the case, then offenders are likely to have committed, or at least attempted other crimes by the time they are arrested, making it unnecessary to overload the indictment with additional charges. Despite the lack of utilisation of ID theft law to date, it should not be assumed that authorities are generally slow to recognise and prosecute new crimes. For example, although there are not yet any reported ID theft-related (eg, phishing) cases arising under the Spam Act 2003, the act itself has been successfully used in the case of Australian Communications and Media Authority v Clarity1 Pty Ltd [2006] FCA 410, with civil penalties being ordered against the respondents for sending unsolicited commercial electronic messages, and for using harvested address lists. 140 RAND Europe National Profiles Austria Laws focusing explicitly on ID theft No legislation has been introduced in Austria that focuses explicitly on ID theft as a specific crime, or that defines such a crime. In practice, ID theft incidents are combated using the general provisions below (in relation to personal data protection, ‘cyber crime provisions’, fraud, etc.). No such legislation is currently under consideration in light of the information available. Other laws that may apply to ID theft incidents Privacy protection and data protection legislation Privacy and ID Protection Protection Provisions Provisions in the General Civil Code Relevant law General Civil Code; original promulgation: State Gazette 1811/946, last amendments: Federal Law Gazette I 2009/135 (Allgemeines bürgerliches Gesetzbuch (ABGB), JGS 1811/946 idF BGBl I 2009/135), Reference See http://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesn ormen&Gesetzesnummer=10001622 (only in German) Main provisions in Sec 16 ABGB stipulates (since 1811) that every human being has relation to ID theft personal rights and that those are protected. According to the common interpretation in Austria, this provision also safeguards the ‘identity’ of every human being. Sec 43 ABGB stipulates (since 1811): ‘If someone’s right to use his/her name is denied or is compromised by unauthorized use of his/her name (or pseudonym), he/she is entitled to sue for injunctive relief and in case of default also for damages.’ Prescribed sanction Pursuant to the general provisions of the ABGB and pursuant to the specific sanctions in Sec 43 ABGB the person, whose identity/name is abused, may sue for injunctive relief and in case of default also for damages in front of the Civil Courts. Data Protection Act 2000 Relevant law Federal Act Concerning the Protection of Personal Data 2000; original promulgation: Federal Law Gazette I 1999/165, last amendments: Federal Law Gazette I 2009/135 (Bundesgesetz über 141 RAND Europe National Profiles den Schutz personenbezogener Daten - Datenschutzgesetz 2000 (DSG 2000), BGBl I 1999/165 idF BGBl I 2009/135), Reference See http://www.dsk.gv.at/site/6274/default.aspx Main provisions in As under the Data Protection Directive 95/46/EC, ID theft relation to ID theft incidents will typically constitute unlawful processing, Sec 1 DSG 2000 stipulates the ‘Fundamental Right to Data Protection’: ‘Everybody shall have the right to secrecy for the personal data concerning him, especially with regard to his private and family life, insofar as he has an interest deserving such protection. Such an interest is precluded when data cannot be subject to the right to secrecy due to their general availability or because they cannot be traced back to the data subject.’ Sec 33 DSG 2000 stipulates a provision for compensation of damages: ‘(1) A controller or processor, who has culpably used data contrary to the provisions of this DSG 2000, shall indemnify the data subject pursuant to the general provisions of civil law. If data falling under the categories listed in sect. 18 para. 2 no. 1 to 3 [Data deserving special protection – ‘Sensible Daten’] are publicly used in a manner that violates a data subjects' interests in secrecy deserving protection that is suitable to expose that person in a like manner to sect. 7 para. 1 of the Media Act, Federal Law Gazette No. 314/1981, that provision shall be applied even if the public use of data is not committed by publication in the media. The claim for appropriate compensation for the defamation suffered shall be brought against the controller of the data used. (2) The controller or processor shall also be liable for damages caused by their staff, insofar as their actions were casual for the damage. (3) The controller shall be free from liability if he/she can prove that the circumstances that caused the damage cannot be attributed to him/her or his/her staff (para. 2). This also applies to the exclusion of the processors' liability. In the case of contributory negligence on the part of the injured party or a person for whose conduct the injured party is responsible, sect. 1304 ABGB [contributory negligence] shall apply.’ Sec 51 DSG 2000 reads since 1/1/2010 as follows: ‘Whoever uses personal data that have been entrusted to or made accessible to him solely because of professional reasons, or that he has acquired illegally for himself or makes such data available to others or publishes such data with the intention to make a profit or to violate somebody’s rights pursuant to Sec 1 DSG 2000, despite 142 RAND Europe National Profiles the data subject's interest in secrecy deserving protection, shall be punished by a court with imprisonment up to one year, unless the offence shall be subject to a more severe punishment pursuant to another provision.’ Prescribed sanction Apart from damages that the victim may receive in civil proceedings, including indemnification for ‘suffered mortification’ [‘erlittene Kränkung’] up to EUR 20,000 pursuant to the Sec 33 DSG 2000 in combination with Sec 7 Media Act, the violations above can also be criminally sanctioned with imprisonment up to one year, unless the offence shall be subject to a more severe punishment pursuant to another provision. Communications Communications secrecy laws– laws– existence and technical aspects of electronic communication and contents of electronic communication; Data Protection Provisions in the Telecommunications Act 2003 Relevant law Federal Act Enacting a Telecommunications Act (Telecommunications Act 2003 – TKG 2003); original promulgation: Federal Law Gazette I 2003/70, last amendments: Federal Law Gazette I 2009/65 (Bundesgesetz, mit dem ein Telekommunikationsgesetz erlassen wird (Telekommunikationsgesetz 2003 - TKG 2003), BGBl I 2003/70 idF BGBl I 2009/65). Reference See http://www.ris.bka.gv.at/Dokumente/Erv/ERV_2003_1 _70/ERV_2003_1_70.html Main provisions in Sec 93 TKG 2003 reads as follows – especially note para 4: relation to ID theft ‘(1) The content data, traffic data and location data shall be subject to confidentiality of the communications. Confidentiality of the communications shall also refer to the data of unsuccessful connection attempts. (2) Every operator and all persons who are involved in the operator’s activities shall observe confidentiality of the communications. The obligation to maintain confidentiality shall continue to exist also after termination of the activities under which it was established. (3) Persons other than a user shall not be permitted to listen, tap, record, intercept or otherwise monitor communications and the related traffic and location data as well as pass on related information without the consent of all users concerned. This shall not apply to the recording and tracing of telephone calls when answering emergency calls and to cases of malicious call tracing as well as to technical storage which is necessary for the conveyance of a communication. 143 RAND Europe National Profiles (4) If communications are received unintentionally by means of a radio system, a telecommunications terminal equipment or any other technical equipment which are not intended for this radio system, this telecommunications terminal equipment or the user of the other equipment, the contents of the communications as well as the fact that they have been received must neither be recorded nor communicated to unauthorized persons nor used for any purposes. Recorded communications shall be erased or otherwise destroyed.’ Sec 108 TKG 2003 reads as follows: ‘(1) Any person as defined in Sec 93 (2) who 1. without authorization discloses the fact or telecommunications, traffic of specific unauthorized person or gives such a person perceive facts himself that are subject to maintain secrecy, the contents of the persons to an the opportunity to the obligation to 2. falsifies, incorrectly relates, modifies, suppresses or incorrectly conveys a communication or withholds it from the intended recipient without authorization, shall be punished by the court with a prison sentence of up to three months or a fine of up to 180 times the daily rate unless the offence carries a more severe penalty under another provision. (2) The offender shall be prosecuted only at the request of the aggrieved party.’ Prescribed sanction Apart from damages that the victim may receive in civil proceedings: • Violations of Sec 93 TKG 2003 are not sanctioned by the TKG 2003, but might be sanctioned in terms of Sec 108 TKG 2003 and/or by the Penal Act (Sec 120 (2a) StGB: imprisonment up to three months or penal fine up to 180 daily rates). • Violations of Sec 108 TKG 2003 can be criminally sanctioned with imprisonment of up to three months or a fine of up to 180 times the daily rate unless the offence carries a more severe penalty under another provision. However the offender shall only be prosecuted at the request of the aggrieved party. Criminal law 144 RAND Europe National Profiles Penal Act and Provisions in Connection with ID Theft Relevant law Penal Act (Strafgesetzbuch - StGB). Reference See http://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage =Bundesnormen&Gesetzesnummer=10002296 (only in German). Main provisions in The StGB stipulates numerous crimes that might be effected in relation to ID theft connection with an ID Theft: • Sec 118a StGB stipulates the illegal access to a computer system as a crime; • Sec 119 StGB stipulates the breach telecommunications secrecy as a crime; • Sec 119a StGB stipulates the illegal seeking knowledge of transferred data as a crime; • Sec 120 StGB stipulates the illegal use of recording devices as a crime. of the Regarding espionage • Sec 123 StGB stipulates espionage for trade secrets as a crime; and • Sec 124 StGB the espionage for foreign countries as a crime. Furthermore, • Sec 126a StGB stipulates the damaging of data as a crime; • Sec 126b StGB stipulates the interference regarding the functionality of a computer system as a crime; • Sec 126c StGB stipulates the misuse of computer programs or access data as a crime. And finally, • Sec 148a StGB stipulates the fraudulent misuse of data processing as a crime; and • Sec 225a StGB stipulates the forgery (including falsifying) of data with the intention to use the forged data as evidence as a crime. Depending on the concrete ID theft incident the above provisions may apply. Furthermore, ID theft is often combined with the misuse of payment transactions, whereas in this context the StGB stipulates 145 RAND Europe National Profiles numerous additional specific provisions (Sec 241a to 241g StGB). Prescribed sanction Apart from damages that the victim may receive in civil proceedings: • Violations of Sec 118a StGB regarding the illegal access to a computer system can be criminally sanctioned with imprisonment up to six months (in connection with criminal organisation up to three years) or penal fine up to 360 daily rates. • Violations of Sec 119 StGB regarding the breach of the telecommunications secrecy can be criminally sanctioned with imprisonment up to six months or penal fine up to 360 daily rates. • Violations of Sec 119a StGB regarding the illegal seeking knowledge of transferred data can be criminally sanctioned with imprisonment up to six months or penal fine up to 360 daily rates. • Violations of Sec 120 StGB regarding the illegal use of recording devices can be criminally sanctioned with imprisonment up to one year or penal fine up to 360 daily rates. • Violations of Sec 123 StGB regarding espionage of trade secrets can be criminally sanctioned with imprisonment up to two years or penal fine up to 360 daily rates. • Violations of Sec 126a StGB regarding the damaging of data can be criminally sanctioned – depending on the value of the data – with imprisonment up to five years. • Violations of Sec 126b StGB regarding the interference regarding the functionality of a computer system can be criminally sanctioned – depending on the time of interference or as a member of a criminal organisation – with imprisonment up to five years. • Violations of Sec 126c StGB regarding the misuse of computer programs or access data can be criminally sanctioned with imprisonment up to six months or penal fine up to 360 daily rates. And finally, • Violations of Sec 148a StGB regarding the fraudulent misuse of data processing can be criminally sanctioned – depending of the damage – with imprisonment up to ten 146 RAND Europe National Profiles years; and • Violations of Sec 225a StGB regarding the forgery (including falsifying) of data with the intention to use the forged data as evidence can be criminally sanctioned with imprisonment up to one year. Fraud Relevant law Penal Act (Strafgesetzbuch - StGB). Reference See http://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage =Bundesnormen&Gesetzesnummer=10002296 (only in German). Main provisions in Fraud in general is punished by Sec 146 StGB. This article relation to ID theft sanctions any act of using deception (including use of false names or titles, or any other type of deceptive manipulation or abuse of good faith or credulity) with a view of appropriating someone else’s property. This would apply to any ID theft incidents involving the use of a falsified identity to appropriate property. Prescribed sanction Apart from damages that the victim may receive in civil proceeding, violations of Sec 146 can be criminally sanctioned with imprisonment up to six months or with fines up to 360 daily rates. Please note that – depending on the damage and the concrete circumstances (eg, using official documents or incorrect data, etc.) – the sanctions could also be an imprisonment up to three years and even between one and ten years (if damage is more than EUR 50,000). Forgery with respect to identity identity (ie, (ie, falsifying identities on a document) Relevant law Penal Act (Strafgesetzbuch - StGB). Reference See http://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage =Bundesnormen&Gesetzesnummer=10002296 (only in German). Main provisions in Forgery is punished by Sec 223 et sqq StGB, including relation to ID particularly: I D theft • Sec 223 StGB: the forgery (including falsifying) of any (signed) document with the intention to use the forged document as evidence is a crime. • Sec 224 StGB: the forgery in terms of Sec 223 StGB by 147 RAND Europe National Profiles forging an official/public document is a crime. • Sec 224a StGB: the possession and transfer of forged documents is a crime. • Sec 225a StGB: the forgery (including falsifying) of data with the intention to use the forged data as evidence is a crime. • Sec 231 StGB: the use of public documents showing the ID of somebody else is a crime. Pursuant to Sec 311 StGB the producing of a false document by a public servant is a crime. Prescribed sanction Apart from damages that the victim may receive in civil proceedings: • Violations of Sec 223 StGB regarding the forgery of documents can be criminally sanctioned with imprisonment up to one year. • Violations of Sec 224 StGB regarding the forgery of an official/public document can be criminally sanctioned with imprisonment up to two years. • Violations of Sec 224a StGB regarding the possession and transfer of forged documents can be criminally sanctioned with imprisonment up to one year. • Violations of Sec 225a StGB regarding the forgery of data can be criminally sanctioned with imprisonment up to one year. • Violations of Sec 231 StGB regarding the use of public documents showing the ID of somebody else can be criminally sanctioned with imprisonment up to six months or a penal fines amounting to 360 daily rates. • Violations of Sec 311 StGB regarding the producing of a false document by a public servant can be criminally sanctioned with imprisonment up to three years. Cybercrime - illegal access to information systems (hacking) Relevant law Penal Act (Strafgesetzbuch - StGB). Reference See http://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage =Bundesnormen&Gesetzesnummer=10002296 (only in German). Main provisions in Illegal access to information systems is punished by Sec 118a 148 RAND Europe relation to ID theft National Profiles StGB: The accessing to an information system without authorisation by overcoming specific security mechanisms (‘external and internal hacking’) to obtain and use data for the purpose of obtaining profit or for the purpose of causing damage is a crime in terms of Sec 118a StGB. This would apply to any ID theft incidents involving the use of false credentials to gain unauthorized access to an information system, or to steal credentials from such a system. For further crimes in this context see above. Prescribed sanction Apart from damages that the victim may receive in civil proceeding, violations of Sec 118a StGB can be criminally sanctioned with imprisonment of six months or fines of up to 360 daily rates. Cybercrime – illegal data interference Relevant law Penal Act (Strafgesetzbuch - StGB). Reference See http://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage =Bundesnormen&Gesetzesnummer=10002296 (only in German). Main provisions in Illegal data interference is punished by Sec 108 TKG 2003 (see relation to ID theft above) and Sec 126a StGB and Sec 126b StGB, including particularly: • Sec 126a StGB: causing damage by changing or deleting electronically processed data without authorisation; • Sec 126b StGB: entering information in a computer system without authorisation and therefore altering its normal use. This would apply to any ID theft incidents involving the falsifying of identity information stored in an information system. Prescribed sanction Apart from damages that the victim may receive in a civil proceedings: • Violations of Sec 108 TKG 2003 can be criminally sanctioned with imprisonment up to three months or fines up to 180 daily rates. • Violations of Sec 126a StGB can be criminally sanctioned with imprisonment up to five years. 149 RAND Europe National Profiles • Violations of Sec 126b StGB can be criminally sanctioned with imprisonment up to five years. Cybercrime – ComputerComputer-related Forgery Relevant law Penal Act (Strafgesetzbuch - StGB). Reference See http://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage =Bundesnormen&Gesetzesnummer=10002296 (only in German). Main provisions in Data-related forgery is punished by Sec 225a StGB: the relation to ID theft producing of incorrect data or the forging of correct data by entering, changing, deleting or blocking data, to use these data for evidencing/showing a right is therefore a crime. Prescribed sanction Apart from damages that the victim may receive in a civil proceeding, violations of Sec 225a StGB can be criminally sanctioned with imprisonment up to one year. Cybercrime – computercomputer-related fraud Relevant law Penal Act (Strafgesetzbuch - StGB). Reference See http://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage =Bundesnormen&Gesetzesnummer=10002296 (only in German). Main provisions in Computer-related fraud is punished by Sec 148a StGB: any act relation to ID theft aiming to unlawfully appropriate someone else’s property by entering, changing or deleting information in an information system or altering its normal use by any technical means is forbidden. Prescribed sanction Apart from damages that the victim may receive in a civil proceeding, violations of Sec 148a StGB can be criminally sanctioned with imprisonment up tot six months or penal fine up to 360 daily rates or in the case of professional violation with imprisonment up to three years or in the case of caused damage exceeding EUR 50,000 with imprisonment from one to ten years. Application in practice In the sections below, we will examine if/how these regulations are applied in practice, including the identification of any known case law and resulting sanctions. 150 RAND Europe National Profiles Claiming a false identity onon-line (eg, (eg, creating an account on a social networking site such as Facebook under someone else’s name) Applicable law(s) Such an incident would likely involve: - violation of Sec 43 ABGB regarding the unauthorized use of names; - if not generally available data of the other person are used it could be a violation of the DSG 2000, since personal data of the victim would likely be unlawfully processed to make the false identity believable; - data-related forgery (if the forgery changed the legal impact of the information); - fraud, if the false identity was used to unlawfully appropriate property. Case law available? No known case law by Higher Courts or Austrian Supreme Court. Unlawfully using another a nother person’s credentials (eg, (eg, using someone else’s username or password to send emails emails in his/her name) Applicable law(s) Unlawfully using another person’s credentials (eg, using someone else’s username or password to send emails in his/her name) could constitute: - a violation of Sec 43 ABGB regarding the unauthorized use of names (pseudonym); - a violation of the DSG 2000, since the credentials are likely to be considered personal data which are being unlawfully processed; - a violation of Sec 108 TKG 2003, if this use can be qualified as falsifying the communication; - a violation of Sec 118a StGB, if this use of the credentials can be qualified as unlawful access to data related to electronic communication; - a violation of Sec 126c StGB, if the credentials can be qualified as access data; - fraud (Sec 146 StGB), if falsified messages were sent to unlawfully appropriate property; - forgery of data with the intention to use the forged data as evidence/to show an (access) right (Sec 225a StGB). 151 RAND Europe Case law law available? National Profiles No known case law by Higher Courts or Austrian Supreme Court. Phishing (using emails emails and/or falsified websites to trick users into giving up identity information, eg, to collect enough information to log on to someone else’s bank account) Applicable law(s) The act of phishing itself (independent from what the perpetrator would do with the stolen information) would likely be: - a violation of the DSG 2000, since the credentials are likely to be considered personal data which are being unlawfully processed; - a violation of Sec 123 StGB regarding espionage of trade secrets, if the obtained information can be qualified as a trade secret; - fraud (Sec 146 StGB) and/or computer-related fraud (Sec 148a StGB); - forgery of data if ‘trick’ involves forged data as evidence/to show the right to obtain the identity information (Sec 225a StGB). Case law available? No known case law, but case law regarding the civil law impact of a phishing attack towards the relationship and liability between bank and its customers. ‘Cybercrimereport 2006’ of the Austrian Police says that there were 381 victims of ‘Phishing-Attacks’ in Austria. Using falsified identity documents (identity cards, social security cards or passports) to unlawfully apply for social benefits benefit s Applicable law(s) The fact of using falsified identity documents (identity cards, social security cards or passports) to unlawfully apply for social benefits would likely be: - if the name of another person is used, a violation of Sec 43 ABGB; - if the ID of another person is used, a violation of the DSG 2000, since the data of this person deserving social benefits have to be considered as personal data, which are being unlawfully processed; - violation of Sec 146 et seqq StGB and therefore fraud, because also the Austrian State or the Austrian Social Insurance Company can be victims in terms of Sec 146 et seqq StGB; 152 RAND Europe National Profiles - violation of Sec 223 et seqq StGB: Case law available? • Sec 223 StGB: the forgery (including falsifying) of any (signed) document with the intention to use the forged document as evidence to be entitled to social benefits (eg, medical statements, etc.); • Sec 224 StGB: the forgery in terms of Sec 223 StGB by forging an official/public (especially ID) document to pretend to be entitled to social benefits; • Regarding online-application, etc.: Sec 225a StGB: the forgery (including falsifying) of data with the intention to use the forged data as evidence to be entitled to social benefits; • In case of using someone else’s ID: Sec 231 StGB: the use of public documents showing the ID of somebody to pretend to be entitled to social benefits. • Regarding the involvement of public servents: Sec 311 StGB: the producing of a false document by a public servant also in connection with social benefit proceedings etc is a crime. No known case law by Higher Courts or Austrian Supreme Court. Trafficking in unlawfully obtained personal information (eg, (eg, selling databases of email addresses to email marketeers) Applicable law(s) The act of trafficking in unlawfully obtained information would likely be a violation of the DSG 2000, since the personal information would be unlawfully processed. Case law available? No known case law by Higher Courts or Austrian Supreme Court. ID theft reporting mechanisms No Official Reporting Site for ID Theft in Austria In Austria there exists no official reporting site for ID theft. However, • http://www.bmi.gv.at/cms/bk/meldestellen/: the official reporting site, inter alia for child pornography, but no site for ‘cyber crime’, although the implementation of such site has been discussed for years in Austria. • http://www.saferinternet.at/ … is a website to empower citizens to use the Internet, as well as other information and communication technologies, safely and 153 RAND Europe National Profiles effectively. Saferinternet.at is the Austrian awareness node in the European Internet Safety Network (Insafe). Saferinternet.at seeks to give children, youths, parents, teachers and other interested parties tips and support to highlight and avoid risks when using the Internet, while at the same time Saferinternet.at illustrates the positive aspects of Internet use. Saferinternet.at runs an information campaign, provides information and teaching materials about safe and responsible use of the Internet, organises events and works closely with all Austrian projects in the area of safer Internet and the European Internet Safety Network. Saferinternet.at is funded by the European Commission (Safer Internet programme), the Federal Chancellery, ministries and industry sponsors (Microsoft, Telekom Austria TA AG). Saferinternet.at co-operates intensely with public administrations, nongovernmental organisations and businesses. The Austrian Institute for Applied Telecommunications (OIAT) is co-ordinator of Saferinternet.at. • http://www.stopline.at/ is an Internet reporting hotline which can be contacted by any Internet user very simply, quickly and informally – also anonymously – if he/she finds the following content on the Internet: (i) Child Pornography (§ 207 a StGB - Austrian Penal Code) or (ii) National Socialist Offences (‘Verbotsgesetz’ National Socialist Prohibition Act) and ‘Abzeichengesetz’ (Act Against The Wearing Of National Socialist Regalia And Symbols). Probably also reports regarding ID theft would be forwarded to the police (see above): after any report has been submitted to the STOPLINE, the agents check whether the material is actually illegal according to the Austrian laws. In this case the STOPLINE immediately contacts the responsible executive authority, the affected Austrian ISP and the foreign partner hotlines within INHOPE, which is a network of hotlines against illegal contents on the Internet. STOPLINE is funded by the EC within the Safer Internet Programme and member of Inhope. The Association of Austrian Internet Service Providers (ISPA) runs the this hotline. Consequently, there is no general reporting site for ‘cybercrime’ and none for ID theft in Austria. Therefore, apart from what said above, reports regarding ID theft should be reported to the general IT-Crime Department incorporated with the Federal Criminal Police Office (‘Bundeskriminalamt’) - http://www.bmi.gv.at/cms/BK/start.aspx. 154 RAND Europe National Profiles Personal assessment of the framework for combating ID theft Globally, it seems that the legal framework for combating ID theft incidents, but only the ones causing damages, is sufficiently comprehensive in Austria. However, there is no official contact point for reporting Internet crimes in general and also not for ID theft in particular in Austria. STOPLINE and the official contract point of the Federal Criminal Police Office (‘Bundeskriminalamt’) concentrate on (i) Child Pornography (§ 207 a StGB - Austrian Penal Code) and (ii) National Socialist Offences (‘Verbotsgesetz’ - National Socialist Prohibition Act) and ‘Abzeichengesetz’ (Act Against The Wearing Of National Socialist Regalia And Symbols). Consequently, victims of ID theft are required to go through official channels (ie, registering a complaint with local police offices) up to the general IT-Crime Department incorporated with the Federal Criminal Police Office (‘Bundeskriminalamt’). This process seems to be rather non-transparent to victims. However, ID theft does not appear to take a high priority in every day crime practice in Austria. 155 RAND Europe National Profiles Belgium Applicable laws Laws focusing explicitly on ID theft No legislation has been introduced in Belgium that focuses explicitly on ID theft as a specific crime, or that defines such a crime. In practice, ID theft incidents are combated using the general provisions below (in relation to personal data protection, fraud, etc.). No such legislation is currently under consideration to our knowledge. Instead, the policy emphasis in Belgium is more on improving awareness of ID theft risks with potential victims and law enforcement bodies. Other laws that may apply to ID theft incidents Data protection laws Relevant law Law of 8 December 1992 protecting the private sphere in relation to personal data processing (Wet tot bescherming van de persoonlijke levensfeer ten opzichte van de verwerking van persoonsgegevens / Loi relative à la protection de la vie privée à l'égard des traitements de données à caractère personnel) Reference See http://www.juridat.be/cgi_loi/loi_N.pl?cn=1992120832 Main provisions in As under the Data Protection Directive 95/46/EC, ID theft relation to ID theft incidents will typically constitute unlawful processing, as it will violate legitimacy requirements (article 5), proportionality obligations and the purpose restriction (article 4), transparency obligations (article 9), security obligations (article 16) and formal obligations such as the prior notification to the Belgian Privacy Commission (article 17). Prescribed sanction Apart from damages that the victim may receive in a civil proceedings, the violations above can also be criminally sanctioned with fines of 550 to 550.000 EUR. Communications secrecy laws – existence and technical aspects of electronic communication Relevant law Law of 13 June 2005 on electronic communication (Wet betreffende de elektronische communicatie / Loi relative aux communications électroniques) Reference See http://www.juridat.be/cgi_loi/loi_N.pl?cn=2005061332 Main provisions in Article 124 of this Act forbids any third party to (1) intentionally 156 RAND Europe relation to ID theft National Profiles seek knowledge of the existence of electronically sent information not intended for him/her; (2) identify persons involved in such data transfers; (3) intentionally access data related to electronic communication; (4) use, modify or delete such information or identification, irrespective of their origin. The provision generally applies to unlawful acts in which a third party tries to obtain information on the existence of someone else’s electronic communications or of the technical characteristics of such communications (eg, protocols used, IP addresses, duration, usernames/passwords), and in which this information is abused. This would apply to any ID theft incidents requiring the collection/abuse of such data. It does not apply to the contents of electronic communications as such; these are protected through separate provisions as noted below. Article 145 of this Act additionally prohibits the following acts: Prescribed sanction • Art. 145 §3: deceptively establishing electronic communications with the intent to obtain an unlawful economic benefit, and deploying any device intended to (attempt to) commit any of the infractions in the law; • Art. 145 §3bis: using an electronic communications network or service to cause any nuisance to a correspondent or to otherwise harm him/her, and deploying any device intended to (attempt to) commit this infractions. Apart from damages that the victim may receive in a civil proceedings: • Violations of article 124 can be criminally sanctioned with fines of 275 to 275.000 EUR. • Violations of article 145 §3 can be criminally sanctioned with fines of 275 to 275.000 EUR and/or imprisonment between 1 and 4 years. • Violations of article 145 §3bis can be criminally sanctioned with fines of 275 to 1.650 EUR and/or imprisonment between 15 days and 2 years. Communications secrecy laws – contents of electronic communication Relevant law Criminal Code (Strafwetboek / Code Pénal) Reference See http://www.juridat.be/cgi_loi/loi_N.pl?cn=1867060801 Main provisions in Articles 259bis and 314bis forbid the following acts: 157 RAND Europe relation to ID theft National Profiles • Using any device to record or listen in on private communications during the transfer without the consent of all participants; • Deploying any device with a view of committing this crime; • Keeping or unlawfully using (including revealing) any recordings made in violation of the provision above. Additional provisions punish the use of lawfully made recordings if this is done deceptively or with the intent to cause harm, and to produce, own or distribute any devices (including software or data such as passwords) which were primarily designed or modified to commit the aforementioned crimes. This would apply to any ID theft incidents involving the recording of electronic communications. The main distinction between article 259bis and 314bis is the scope: article 259bis applies to public servants and contains harsher sanctions than article 314bis, which is aimed at the general public. Exceptions are defined for military intelligence services. Prescribed sanction Apart from damages that the victim may receive in a civil proceedings: • Violations of article 259bis (public servants) can be criminally sanctioned with fines of 2.750 to 110.000 EUR and/or imprisonment between 6 months and 2 years. • Violations of article 314bis (general public) can be criminally sanctioned with fines of 1.100 to 55.000 EUR and/or imprisonment between 6 months and 1 year. Criminal law Fraud Relevant law Criminal Code (Strafwetboek / Code Pénal) Reference See http://www.juridat.be/cgi_loi/loi_N.pl?cn=1867060801 Main provisions in Fraud in general is punished by Article 496 of the Criminal relation to ID theft Code. This article sanctions any act of using deception (including use of false names or titles, or any other type of deceptive manipulation or abuse of good faith or credulity) with a view of 158 RAND Europe National Profiles appropriating someone else’s property. This would apply to any ID theft incidents involving the use of a falsified identity to appropriate property. Prescribed sanction Apart from damages that the victim may receive in a civil proceedings, violations of article 496 can be criminally sanctioned with fines of 143 to 16.500 EUR and imprisonment between 1 month and 5 years. Forgery with respect to identity (ie, (ie, falsifying identities on a document) Relevant law Criminal Code (Strafwetboek / Code Pénal) Reference See http://www.juridat.be/cgi_loi/loi_N.pl?cn=1867060801 Main provisions in Forgery is punished by Article 194 and following of the Criminal relation to ID theft Code, including particularly: Prescribed sanction • Art. 194: forgeries committed by public servants on official documents, including through the use of falsified signatures or by falsifying information in official registers or documents; • Art. 196: forgeries committed by any other person on official documents and in certain private documents such as contracts, including through the use of falsified signatures or falsified documents; • Art. 198: falsifying passports or other identity documents or intentionally using such documents. Apart from damages that the victim may receive in a civil proceedings: • Violations of article 194 (public servants) can be criminally sanctioned with imprisonment between 10 and 15 years. • Violations of article 196 (general public) can be criminally sanctioned with imprisonment between 5 and 10 years. • Violations of article 196 (general public) can be criminally sanctioned with imprisonment between 1 month and 1 year. Cybercrime - illegal access to information systems (hacking) Relevant law Criminal Code (Strafwetboek / Code Pénal) 159 RAND Europe Reference National Profiles See http://www.juridat.be/cgi_loi/loi_N.pl?cn=1867060801 Main provisions in Illegal access to information systems is punished by Article relation to ID theft 550bis of the Criminal Code, including particularly: • §1: accessing an information authorisation (external hacking); system without • §2: exceeding one’s access rights to an information system (internal hacking); • §3: copying data from a hacked system, using the hacked system to gain access to another system or causing damage (even unintentionally) to the hacked system or any other system in connection with the hacking; • §5: producing, owning or distributing any devices (including software or data such as usernames/passwords) which were primarily designed or modified to commit the aforementioned crimes; • §7: keeping, revealing or otherwise using data obtained from a hacked system. This would apply to any ID theft incidents involving the use of false credentials to gain unauthorized access to an information system, or to steal credentials from such a system. Prescribed sanction Apart from damages that the victim may receive in a civil proceedings: • Violations of §1 can be criminally sanctioned with fines of 143 to 137.500 EUR and/or imprisonment between 3 months and 1 year. When committed with deceptive intent, imprisonment will be between 6 months and 2 years. • Violations of §2 can be criminally sanctioned with fines of 143 to 137.500 EUR and/or imprisonment between 6 months and 2 years. • Violations of §3 can be criminally sanctioned with fines of 143 to 275.000 EUR and/or imprisonment between 1 and 3 years. • Violations of §5 and 7 can be criminally sanctioned with fines of 143 to 550.000 EUR and/or imprisonment between 6 months and 3 years. Cybercrime – illegal data interference 160 RAND Europe National Profiles Relevant law Criminal Code (Strafwetboek / Code Pénal) Reference See http://www.juridat.be/cgi_loi/loi_N.pl?cn=1867060801 Main provisions in Illegal data interference is punished by Article 550ter of the relation to ID theft Criminal Code, including particularly: • §1: entering, changing or deleting information in an information system without authorisation or altering its normal use by any technical means; • §2: causing damage to the data in an information system as a result of committing the crime in §1; • §3: impeding the correct functioning of an information system as a result of committing the crime in §1; • §4: producing, owning or distributing any devices (including software or data such as usernames/passwords) which were primarily designed or modified to commit the aforementioned crimes, knowing that these could be used to damage data or to disrupt the functioning of an information system. This would apply to any ID theft incidents involving the falsifying of identity information stored in an information system. Prescribed sanction Apart from damages that the victim may receive in a civil proceedings: • Violations of §1 can be criminally sanctioned with fines of 143 to 137.500 EUR and/or imprisonment between 6 months and 3 years. When committed with deceptive intent or intent to cause harm, imprisonment will be between 6 months and 5 years. • Violations of §2 can be criminally sanctioned with fines of 143 to 412.500 EUR and/or imprisonment between 6 months and 5 years. • Violations of §3 can be criminally sanctioned with fines of 143 to 550.000 EUR and/or imprisonment between 1 and 5 years. • Violations of §4 and 7 can be criminally sanctioned with fines of 143 to 550.000 EUR and/or imprisonment between 6 months and 3 years. Cybercrime – computercomputer-related forgery 161 RAND Europe National Profiles Relevant law Criminal Code (Strafwetboek / Code Pénal) Reference See http://www.juridat.be/cgi_loi/loi_N.pl?cn=1867060801 Main provisions in Computer-related forgery is punished by Article 210bis of the relation to ID theft Criminal Code, including particularly: • §1: committing forgery by entering, changing or deleting information in an information system or altering its normal use by any technical means, in such a way that it effects the legal impact of such data; • §2: using data while knowing that it was forged as described in §1. This would apply to, for example, any ID theft incidents involving the use of false identity information in an information system to change its legal impact (eg, changing the name of the holder of a bank account, or performing banking transactions under someone else’s name). Prescribed sanction Apart from damages that the victim may receive in a civil proceedings, violations of §1 and §2 can be criminally sanctioned with fines of 143 to 550.000 EUR and/or imprisonment between 6 months and 5 years. Cybercrime – computercomputer-related fraud Relevant law Criminal Code (Strafwetboek / Code Pénal) Reference See http://www.juridat.be/cgi_loi/loi_N.pl?cn=1867060801 Main provisions provisions in Computer-related fraud is punished by Article 504quater of the relation to ID theft Criminal Code, including particularly §1: any act aiming to unlawfully appropriate someone else’s property by entering, changing or deleting information in an information system or altering its normal use by any technical means. This would apply to, for example, any ID theft incidents involving the modification of information systems in order to obtain usernames/passwords (eg, phishing). Prescribed sanction Apart from damages that the victim may receive in a civil proceedings, violations of §1 can be criminally sanctioned with fines of 143 to 550.000 EUR and/or imprisonment between 6 months and 5 years. Application in practice 162 RAND Europe National Profiles In the sections below, we will examine if/how these regulations are applied in practice, including the identification of any known case law and resulting sanctions. Claiming a false identity onon-line (eg, (eg, creating an account on a social networking site such as Facebook under someone else’s name) Applicable law(s) Such an incident would likely involve: - violation of data protection laws, since personal data of the victim would likely be unlawfully processed to make the false identity believable (eg, publication of the victim's name, address, photo, etc.); - violation of communication secrecy laws, if the false profile results in messages being sent to the false profile which were intended for the real recipient; - forgery and/or computer-related forgery, if the forgery changed the legal impact of the information; - fraud and/or computer-related fraud, if the false identity was used to unlawfully appropriate property. Case available? law Yes. In 2002, the criminal court of first instance in Liège ruled on a case in which a visitor created a false identity on a discussion forum. Using this false identity, the person solicited other visitors of the forum to send erotic messages to a phone number, which did not belong to him. The court ruled that the use of the false identity constituted fraud and stalking (a qualification as computer fraud was not possible, as the relevant provisions had not yet been adopted at the time of the crime). The defendant was given a 3 year suspension of sentence, and was ordered to pay damages to the victim. A copy of the decision can be found here: http://internetobservatory.be/internet_observatory/pdf/legislation/jur/jur_be_200211-18.pdf Unlawfully using another another person’s credentials (eg, (eg, using someone else’s username or password to send emails emails in his/her name) Applicable law(s) Most of the qualifications above could apply, depending on how the credentials were used: - violation of the data protection act, since the credentials are likely to be considered personal data which is being unlawfully processed; - violation of communication secrecy laws, if use of the credentials can be qualified as unlawful access to data related to 163 RAND Europe National Profiles electronic communication (eg, to make bank transfers); - fraud and/or computer-related fraud, if falsified messages were sent to unlawfully appropriate property; - illegal access to information systems, if the credentials were used to access a system without authorisation. Case law available? available? Several cases are known, specifically in relation to using a third party’s stolen credit card. After a ruling by the Supreme Court (Hof van Cassatie / Cour de Cassation) in 2003, most criminal courts have found this to constitute computer-related fraud. Using falsified identity documents (identity cards, social security cards or passports) to unlawfully apply for social benefits Applicable law(s) The most likely qualifications would be: - fraud, since the use of a false document would be considered a deception with a view of unlawfully appropriating tax payer money. - forgery of identity documents or documents proving an employment relation (sanctioned, inter alia, by art. 198 and following of the Criminal Code). - fraud in the field of social security (ex, inter alia, art. 2 of the Royal Decree of 31/5/1933 and art. 175 of the Royal Decree of 25/11/1991): these provisions sanction the fact to apply for social benefits without being entitled to receive them, and thus cover the situations of applications based on falsified documents. Case law available? The issue of social security frauds by means of falsified identity of by means of falsified supporting documents is a serious issue that has a big financial impact on the State's budget. According to the Belgian government, in 2008 the public authorities paid 2,55 million Euro to people who applied for social security benefits without any right to obtain them (these figures relate only to employment benefits, so that the total undue expenditure by social security authorities is definitely bigger). The case law in the field is extensive: one notable case that can be mentioned here is: Court of Brussels (Corr. Recht., 46ste k.), 21/5/2004: a person who falsified his identity documents in order to obtain social benefits was sentenced (for this fact in combination with other crimes) to 3 years imprisonment and 1.000 Euros of sanction. Using spyware to obtain identity information (eg, (eg, installing a computer programme 164 RAND Europe National Profiles that records which usernames and passwords are are used and communicates these to a hacker) Applicable law(s) The act of using the spyware itself (independent from what the perpetrator would do with the stolen information) would likely be: - a violation of the data protection act, since the credentials are likely to be considered personal data which is being unlawfully processed; - violation of communication secrecy laws, if the collection of the credentials can be qualified as unlawful access to data related to electronic communication; - illegal access to information systems, since installing the spyware is likely a violation of access rights; - illegal data interference, since installing the spyware likely involves installing software on the victim’s information system without authorisation. Case law available? No known case law. Trafficking in unlawfully obtained personal information (eg, (eg, selling databases of email addresses to email marketeers) Applicable law(s) The act of trafficking in unlawfully obtained information would likely be: - a violation of the data protection act, since the personal information would be unlawfully processed; - a violation of communication secrecy laws, if the personal information contained data related to electronic communication (like email addresses, IP addresses, etc.). Case available? law Yes. In 2000, the criminal courts of Ghent ruled in a case in which a hacker had collected ISP customer data (username, password, email addresses and credit card numbers) which he subsequently released to press agencies. The hacker was convicted for violation communications secrecry laws, and fined 40.000 Belgian Francs (approx. 1.000 EUR). A copy of the decision can be found here: http://internetobservatory.be/internet_observatory/pdf/legislation/jur/jur_be_200012-11.pdf No other notable case law has been identified. 165 RAND Europe National Profiles ID theft reporting mechanisms eCops reporting site To facilitate the reporting and effective follow-up of any Internet-based crime (including electronic ID theft), a general reporting site called eCops was established (www.ecops.be). The site acts as a single contact point, through which any Internet-based crime incidents (eg, phishing) can be reported using standardised forms, with interfaces being available in Dutch, French, German and English. Anonymous reports are possible; only the source where the crime was observed is mandatory (a URL, chat server IP address, newsgroup…). Reports submitted via the site are automatically transferred to the Federal Computer Crime Unit (FCCU, http://www.polfed-fedpol.be/crim/crim_fccu_nl.php), which is the section of the Federal Judicial Police responsible for the investigation of computer crime incidents. The FCCU manages the eCops site, in collaboration with the Federal Public Service of the Economy. It should be noted that the eCops site is primarily aimed at allowing citizens to report Internet crime that they have observed but of which they were not the victims. Victims of such incidents (including ID theft) are recommended to contact their local police office directly, who can in turn call upon the FCCU or one of its regional divisions (Regional Computer Crime Units, RCCUs) to assist them in their investigations if needed104. Other sites Apart from eCops, several other sites play a mainly informative role with respect to ID theft, including notably: • 104 Specifically to allow the verification of the authenticity of identity documents (principally ID cards and passports), the websites CheckDoc (https://www.checkdoc.be/) and DocStop (https://www.docstop.be/) were established. CheckDoc is primarily targeted towards professional users (eg, customs authorities abroad), allowing them to determine whether a Belgian ID card is authentic on the basis of the identification number of the card, resulting in a hit/no hit result. General information on the security characteristics of various Belgian identity documents is also provided to allow a simple visual verification. Actual follow-up of incidents falls within the competence of the Central Service for Combating Forgeries (Centrale Dienst voor de Bestrijding van Valsheden / L’Office central pour la répression des faux) within the Federal Judicial Police. DocStop on the other hand is a site for Belgian citizens, allowing them to block See http://www.polfed-fedpol.be/pub/brochures/pdf/FCCU-nl.pdf 166 RAND Europe • • • National Profiles their eID cards in case of accidental loss or theft. The site primarily contains contact information allowing citizens to contact the service directly. The Internet Observatory (http://www.internet-observatory.be) is a website managed by the Federal Public Service of the Economy, which disseminates practical information on Internet usage in Dutch and French, including issues such as ID theft (see, for example, http://www.internetobservatory.be/protection_consumer/fraud_prevention/fraud_prevention_fr_004. htm) Web4Me / SaferInternet.be (http://www.web4me.be/ / http://www.saferinternet.be/): both of these websites aim to improve awareness of basic Internet security through general tips and recommendations. Arnaques / Consumentenbedrog (http://www.consumentenbedrog.be/, http://www.arnaques.be/): a site disseminating general information in relation to consumer protection, including with respect to common Internet fraud attempts. The site provides practical examples of incidents and recommendations to improve consumer awareness. Personal assessment of the framework for combating ID theft Globally, it seems that the legal framework for combating ID theft incidents in Belgium is sufficiently comprehensive, as there do not appear to be any examples of ID theft incidents which are not covered under present legislation. The establishment of a contact point for reporting Internet crimes in general (the aforementioned eCops portal) can also be considered a positive development. None the less, there are also a few weaknesses. Firstly, the eCops site is emphatically promoted as a site for reporting Internet crimes by non-victims. Victims of ID theft are still required to go through official channels (ie, registering a complaint with local police offices). This process is still relatively intransparent to victims, and follow-up to such complaints can be slow, depending on the availability of resources of the investigating magistrates. ID theft does not appear to take a high priority in investigations, except in cases of clear and significant harm to the victim. Secondly, the investigation of incidents remains complicated in practice, especially in cross border cases. Even when clear evidence of an ID theft incident can be found (eg, a fake profile on a social networking website through which false information is being spread), it can often prove difficult to convince the website operators to take the offending information off-line, and even harder to obtain information from the operator that would make it possible for local judicial authorities to investigate the crime further (eg, IP addresses or mail addresses used by the offender). In practice, this appears to be the main challenge to combating ID theft incidents. 167 RAND Europe National Profiles With respect to publicity, occasionally high profile incidents are reported in the mainstream press. A recent case (published on 30 March 2010) involved an open letter published in several national newspapers, denouncing the excessive consumption of meat105, which was signed by a former representative of the Agricultural Union. In fact, it was written by a well known Belgian author. In this case, the writer received a one year suspended sentence, and was ordered to pay symbolic damages in the amount of 1 EUR (in addition to 600 EUR which she paid voluntarily prior to the ruling). However, so far such incidents have not had a strong impact on the public perception or policy regarding identity theft. 105 See http://www.standaard.be/artikel/detail.aspx?artikelid=DMF20100330_100 168 RAND Europe National Profiles Bulgaria Applicable laws Laws focusing explicitly on ID theft No legislation has been introduced in Bulgaria that focuses explicitly on ID theft as a specific crime, or that defines such a crime. In practice, ID theft incidents are combated using the general provisions below (in relation to personal data protection, fraud, etc.). On the other hand, Bulgarian Criminal Code contains numerous provisions which fix punishments for specific crimes that may involve ID theft incidents. No such legislation is currently under consideration to our knowledge. Instead, the policy emphasis in Bulgaria is more focused on improving awareness of ID theft risks with potential victims and law enforcement bodies. Other laws that may apply to ID theft incidents Privacy protection and data protection legislation Data protection laws Relevant law Personal Data Protection Act (Закон за защита на личните данни), valid as of 1 January 2002; promulgated in SG, issue 1 from 4 January 2002; last amendment promulgated in SG, issue 42 from 5 June 2009. Reference See http://www.cpdp.bg/en/index.php?p=element&aid=128 Main provisions in As under the Data Protection Directive 95/46/EC, ID theft relation to ID theft incidents will typically constitute unlawful processing, as it will violate legitimacy requirements (article 4), proportionality obligations and the purpose restriction (article 2(2)), transparency obligations (article 19), security obligations (article 23) and formal obligations such as the prior notification to the Bulgarian Personal Data Protection Commission (article 17). Prescribed sanction Apart from indemnifications that the victim may receive in civil proceedings, the violations above can also be sanctioned as administrative infringements with fines of BGN 500 to BGN 100.000 (approximately from 250 to 50.000 EUR). It must be noted that the violation of the requirements of the Personal Data Protection Act themselves are not crimes under Bulgarian legislation. 169 RAND Europe National Profiles Communications secrecy laws – existence and technical aspects of electronic communication Relevant law Electronic Communications Act (Закон за електронните съобщения), promulgated in SG, issue 41 from 22 May 2007, last amendment promulgated in SG, issue 17 from 2 March 2010. Reference See http://www.crc.bg/files/_en/ZES_ENG.pdf Main provisions in Article 246 of this Act explicitly prohibits listening, tapping, relation to ID theft storage or any other kind of interception or surveillance of electronic communications by a third person that is not the sender or the recipient without their explicit consent, unless it is provided by law. This prohibition does not apply to the providers of electronic communications networks and/or of electronic communications services when the storage is necessary for technical reasons or it is substantial part of the provision of the services, as well as when it is performed by authorized persons for the purposes of monitoring of the technical parameters of the services. In these cases the provider must destroy the stored electronic communications immediately when the reasons for that storage fell away. The prohibition concerns any unlawful acts in which a third party tries to obtain information on the existence of someone else’s electronic communications or to obtain traffic data related to those communications. Also, it covers to any unlawful acts in which a third party tries to obtain access to any other data which may reveal that content (eg, usernames/passwords). Prescribed sanction Apart from damages that the victim may receive in civil proceedings: • Violations of the rules for protecting the confidentiality of the communications and the traffic data related to the communications transferred via an electronic communication network may be sanctioned with fines of BGN 1.000 to BGN 10.000 (approximately from 500 to 5.000 EUR), unless the respective violation constitutes a crime. Since the unlawful access to the content of electronic communications is a crime, the above sanction generally applies to cases where the perpetrator obtains access to data which may reveal the content of electronic communications but does not access the content itself. • For interference or/and changing the content of third parties’ electronic communications in a public electronic communications network fines of BGN 200 to BGN 2.000 (approximately from 100 to 1.000 EUR) may be 170 RAND Europe National Profiles imposed, unless the respective act constitutes a crime. • An official who abuses the data retained in compliance with requirements of the Data Retention Directive 2006/24/EC may be sanctioned with fines of BGN 1.000 to BGN 10.000 (approximately from 500 to 5.000 EUR), unless the respective violation constitutes a crime. Communications Communications secrecy laws – contents of electronic communication Relevant law Criminal Code (Наказателен кодекс), valid as of 1 May 1968, promulgated in SG, issue 26 from 2 April 1968, last amendment promulgated in SG, issue 102 from 22 December 2009. Reference See http://www.vks.bg/english/vksen_p04_04.htm Main provisions in According to the Constitution of the Republic of Bulgaria relation to ID theft (Конституция на Република България, http://www.vks.bg/english/vksen_p04_01.htm) the confidentiality of correspondence and of all other communications is inviolable. The fundamental right covers all kind of communications and forbids all kind of unlawful actions or omissions which may violate that confidentiality. Regarding the confidentiality of the electronic communications the general constitutional rule is repeated with more details in the above cited Art. 246 of the Electronic Communications Act. The violation of the correspondence confidentiality (including all kind of electronic communications) is criminalized under Bulgarian law. A person who accesses or through other actions finds out the content of a communication which is sent electronically and is not addressed to him/her may be prosecuted under Art, 171, para. 1, item 3 of the Criminal Code. A person who diverts a communication sent electronically from his/her actual addressee will be also held liable under Art. 171, para. 1, item 3 of the Criminal Code. If any of the above mentioned criminal acts is committed by an official, he/she will be prosecuted under Art. 171, para. 2 of the Criminal Code. The difference between Art. 171, para. 1 and Art. 171, para. 2 is the scope and the punishment – Art. 171, para. 2 applies only to officials who abuse their positions when committing the above mentioned criminal act and respectively, the punishment is more severe. A person who unlawfully accesses and finds out the content of a communication which is sent via telephone, telegraph, computer 171 RAND Europe National Profiles network or via other kind of electronic communications means and is not addressed to him/her, by using special technical means, will be held liable under Art. 171, para 3 of the Criminal Code. If this criminal act is committed with mercenary intent or causes significant damages the perpetrator will be prosecuted under Art. 171, para. 4 of the Criminal Code which provides for more severe punishment. This provision will apply to all incidents of ID theft involving recording of electronic communications. Prescribed sanction Apart from damages that the victim may receive in civil proceedings: • Violations under Art. 171, para. 1, item 3 (general) can be criminally sanctioned with imprisonment up to 1 year or with fines of BGN 100 to BGN 300 (approximately from 50 to 150 EUR). • Violations under Art. 171, para. 2 (officials) can be criminally sanctioned with imprisonment up to 2 years. In this case the court may also impose an additional punishment – deprivation of the right to hold certain state or public position. • Violations under Art. 171, para. 3 (usage of special technical means) can be criminally sanctioned with imprisonment up to 2 years. • Violations under Art. 171, para. 4 (usage of special technical means and mercenary intent or causing significant damages) can be criminally sanctioned with imprisonment up to 3 years and fines up to BGN 5.000 (approximately up to 2.500 EUR). Criminal law Fraud Relevant law Criminal Code (Наказателен кодекс), valid as of 1 May 1968, promulgated in SG, issue 26 from 2 April 1968, last amendment promulgated in SG, issue 102 from 22 December 2009. Reference See http://www.vks.bg/english/vksen_p04_04.htm Main provisions in Fraud in general is punished by Article 209 and the following of relation to ID theft the Criminal Code. These articles sanction any act of deceiving theft or maintaining deceit someone (including use of false names or titles, or any other type of deceptive manipulation or abuse of good faith or credulity) for the purposes of appropriation 172 RAND Europe National Profiles property for himself/herself or for a third party and in this way causes damages to the deceived or to another person. Also, these articles sanction any act of using such deception if in such a way the perpetrator causes damages the deceived or to another person. These provisions would apply to any ID theft incidents involving falsification of identity for the purposes of appropriation property. When for the purposes of the fraud and in particular for obtaining somebody else’s property a forged, false or unauthentic document is used the perpetrator will be held liable for the so called documentary fraud under Art. 212 of the Criminal Code. Prescribed sanction Apart from damages that the victim may receive in civil proceedings, violations of Art. 209 and the following can be criminally sanctioned with imprisonment up to 10 years. The punishments are differentiated depending on that how grave the committed criminal act is. In certain cases, along with the imprisonment the court may impose confiscation of up to the half property of the convicted person. Apart from damages that the victim may receive in civil proceedings, violations of Art. 212 can be criminally sanctioned with imprisonment up to 20 years. Again the punishments are differentiated depending on that how grave the committed criminal act is. For certain cases the court may impose also additional sanctions: (1) deprivation of the rights to hold certain state or public position and of the right to exercise certain profession and/or (2) confiscation of a part or of all property of the convicted person. The Criminal Code provides for not so severe punishments if the convicted person returns back or replaces before the end of the court proceeding before the first instance the property appropriated through the committed documentary fraud. Forgery with respect to identity (ie, (ie, falsifying identities on a document) Relevant law Criminal Code (Наказателен кодекс), valid as of 1 May 1968, promulgated in SG, issue 26 from 2 April 1968, last amendment promulgated in SG, issue 102 from 22 December 2009. Reference See http://www.vks.bg/english/vksen_p04_04.htm Main provisions in Forgery is punished by Article 308 and following of the Criminal relation to ID theft Code, including particularly: • Art. 308, para. 1: forgeries of official documents; • Art. 308, para. 2: forgeries of specific documents as ID 173 RAND Europe National Profiles papers or papers certifying the civil status (family status; birth or death certificates, etc.), notary certified documents or notary deeds, diplomas, etc. Prescribed sanction • Art. 308, para. 3: forgeries under Art. 308, para. 1 and 2 committed for appropriating property. • Art. 309: forgeries of private documents and their use after that; • Art. 310: forgeries of official documents committed by officials within their official functions; • Art. 315: forgeries committed by using someone’s signature through introduction in a signed blank sheet statements which do not fit to the signatory’s will as well as forgeries committed by misleading someone to sign a document which does not fit to his/her will; • Art. 318: unlawful use of official document issued for another person for deceiving a state authority or representative of the public. Apart from damages that the victim may receive in civil proceedings: • Violations of article 308, para. 1 (official documents) can be criminally sanctioned with imprisonment up to 3 years. • Violations of article 308, para. 2 (specific documents like ID papers) can be criminally sanctioned with imprisonment up to 8 years. • Violations of article 308, para. 3 (forgeries for appropriating property) can be criminally sanctioned with imprisonment up to 10 years. The appropriated property or its pecuniary value is subject to confiscation by the state. • Violations of article 309 (forgeries of private documents like contracts and others) can be criminally sanctioned with imprisonment up to 2 years or up to 3 years (forgeries of securities). • Violations of article 310 (officials) can be criminally sanctioned with imprisonment up to 5 years and with deprivation of the right to hold certain state or public position. • Violations of article 315 (forgeries related to the use of someone else’s signature) can be criminally sanctioned 174 RAND Europe National Profiles with the same punishments as per Art. 308 and 309 (see above). The same punishments as those listed above may be imposed also in cases when the perpetrator uses a forge or false document though he/she cannot be held liable for the forgery itself (Art. 316 of the Criminal Code). Apart from damages that the victim may receive in civil proceedings violations of article 318 (use of official document issued for somebody else) can be criminally sanctioned with imprisonment up to 2 years or probation or with fines of BGN 100 to BGN 300 (approximately from 50 to 250 EUR). Cybercrime - illegal access to information systems (hacking) Relevant law Criminal Code (Наказателен кодекс), valid as of 1 May 1968, promulgated in SG, issue 26 from 2 April 1968, last amendment promulgated in SG, issue 102 from 22 December 2009. Reference See http://www.vks.bg/english/vksen_p04_04.htm Main provisions in Illegal access to information systems is punished by Article 319a relation to ID theft of the Criminal Code, including particularly: theft • Para. 1 and 2: copying, using of or accessing to computer data in a computer system without authorisation if such is required (external hacking). Paragraph 2 concerns cases when the criminal act is committed by more than 1 persons who agreed in advance for the respective actions; • Para. 3: copying, using of or accessing to computer data in a computer system without authorisation when these data is related to the creation of an electronic signature; This would apply to any ID theft incidents involving the use of false credentials to gain unauthorized access to a computer system, or to steal credentials from such a system. Prescribed sanction Apart from damages that the victim may receive in civil proceedings: • Violations of Art. 319a, para. 1 can be criminally sanctioned with fines amounting up to BGN 3.000 (approximately 1.500 EUR). • Violations of Art. 319a, para. 2 can be criminally sanctioned with fines amounting up to BGN 3.000 (approximately 1.500 EUR) or with imprisonment up to 175 RAND Europe National Profiles 1 year. • Violations of Art. 319a, para. 3 (concerning data related to the creation of an electronic signature) can be criminally sanctioned with fines amounting up to BGN 5.000 (approximately 2.500 EUR) or with imprisonment up to 3 years. • Violations of Art. 319a which concern state or other secret protected by law can be criminally sanctioned with imprisonment between 1 and 3 years if it is not subject to more severe sanction. • Violations of Art. 319a with grave consequences can be criminally sanctioned with imprisonment between 1 and 8 years. Cybercrime – illegal data interference Relevant law Criminal Code (Наказателен кодекс), valid as of 1 May 1968, promulgated in SG, issue 26 from 2 April 1968, last amendment promulgated in SG, issue 102 from 22 December 2009. Reference See http://www.vks.bg/english/vksen_p04_04.htm Main provisions in Illegal data interference is punished by Article 319b of the relation to ID theft Criminal Code, including particularly any addition, change, deletion or destruction of a computer program or computer data without the authorization by the person that administrates or uses the respective computer system. The introduction/instalment without authorization of a computer virus or another computer program which is designed to disturb the functioning of a computer system or a computer network or to gather, to erase, to delete, to change or to copy computer data is punished by Art. 319d, unless the committed act constitutes graver crime. This would apply to any ID theft incidents involving the falsifying of identity information stored in a computer system system. Prescribed sanction Apart from damages that the victim may receive in civil proceedings: • Violations of Art. 319b can be criminally sanctioned with fines amounting up to BGN 5.o00 (approximately 2.500 EUR) and/or with imprisonment up to 3 years. • Violations of Art. 319c can be criminally sanctioned with fines amounting up to BGN 3.000 (approximately 176 RAND Europe National Profiles 1.500 EUR). When the violation causes significant damages or it is committed again, it can be criminally sanctioned with fines amounting up to BGN 3.000 (approximately 1.500 EUR) and with imprisonment up to 3 years. • Violations of Art. 319d can be criminally sanctioned with imprisonment up to 1 year. When committed with mercenary intent or caused significant damages or consequences, it can be sanctioned with imprisonment up to 3 years. Cybercrime – computercomputer-related forgery Relevant law Criminal Code (Наказателен кодекс), valid as of 1 May 1968, promulgated in SG, issue 26 from 2 April 1968, last amendment promulgated in SG, issue 102 from 22 December 2009. Reference See http://www.vks.bg/english/vksen_p04_04.htm Main provisions in When the illegal data interference concerns data which according relation to ID theft to the law is supposed to be submitted electronically or on a theft magnet, optical or other medium, the perpetrator will be held liable under Art. 319c of the Criminal Code. The provision of Art. 319c does not refer to typical computerrelated forgery. However, it would apply to any ID theft incidents involving the changing identity information which according to the law is submitted electronically or on a magnet, optical or other medium. Person, who for the purposes of appropriating property enters, changes, deletes or erases computer data without being authorized to do so will be held liable under Art. 212a, para. 2 of the Criminal Code. This would apply to any ID theft incidents involving the creation of false identity information in a computer system for the purposes of appropriating property. It must be noted that the provision of Art. 212a, para. 2 is systematically part of the provisions concerning fraud. Prescribed sanction Apart from damages that the victim may receive in civil proceedings, violations of Art. 319c can be criminally sanctioned with fines amounting up to BGN 3.000 (approximately 1.500 EUR). When the violation causes significant damages or it is performed again, it can be criminally sanctioned with fines amounting up to BGN 3.000 (approximately 1.500 EUR) and with imprisonment up to 3 years. Apart from damages that the victim may receive in civil 177 RAND Europe National Profiles proceedings, violations of Art. 212a, para. 2 can be criminally sanctioned with fines amounting up to BGN 6.000 (approximately 3.000 EUR) and with imprisonment between 1 and 6 years. Cybercrime – computercomputer-related fraud Relevant law Criminal Code (Наказателен кодекс), valid as of 1 May 1968, promulgated in SG, issue 26 from 2 April 1968, last amendment promulgated in SG, issue 102 from 22 December 2009. Reference See http://www.vks.bg/english/vksen_p04_04.htm Main provisions in Computer-related fraud is punished by Article 212a, para. 1 of relation to ID theft the Criminal Code, including particularly any act aiming to unlawfully appropriate someone else’s property by deceiving or maintaining deceit somebody through entering, changing, deleting or erasing computer data or through using someone else’s electronic signature. This would apply to any ID theft incidents involving the modification of information in computer systems in order to obtain usernames/passwords (eg, phishing) or using false identity by using someone else’s electronic signature. Prescribed sanction Apart from damages that the victim may receive in a civil proceedings, violations of Art. 212a, para. 1 can be criminally sanctioned with fines amounting up to BGN 6.000 (approximately 3.000 EUR) and with imprisonment between 1 and 6 years. Cybercrime – Disseminating passwords and codes for access to computer system Relevant law Criminal Code (Наказателен кодекс), valid as of 1 May 1968, promulgated in SG, issue 26 from 2 April 1968, last amendment promulgated in SG, issue 102 from 22 December 2009. Reference See http://www.vks.bg/english/vksen_p04_04.htm Main provisions in Any dissemination or disclosure of passwords or codes for access relation to ID theft to computer system which leads to disclosure of personal data or state or other protected by law secret is punished by Art. 319e of the Criminal Code. This would apply to ID theft incidents involving trafficking or transferring of personal information. Prescribed sanction Apart from damages that the victim may receive in civil proceedings, violations of Art. 319e, para. 1 can be criminally 178 RAND Europe National Profiles sanctioned with imprisonment up to 1 year. When committed with mercenary intent or caused significant damages, it can be criminally sanctioned with imprisonment up to 3 years. Usage of a payment instrument or data from a payment payment instrument without the consent of its owner Relevant law Criminal Code (Наказателен кодекс), valid as of 1 May 1968, promulgated in SG, issue 26 from 2 April 1968, last amendment promulgated in SG, issue 102 from 22 December 2009. Reference See http://www.vks.bg/english/vksen_p04_04.htm Main provisions in The usage of a payment instrument and the usage of data from relation to ID theft such an instrument without the consent of the owner/titular of theft the respective payment instrument is punished by Art. 249, para. 1 of the Criminal Code, unless it is a graver crime. The creation, instalment or usage of technical means for the purposes of obtaining information about the content of a payment instrument is punished by Art. 249, para. 3. Respectively, the storage or the provision of such information is punished by Art. 249, para. 4 of the Criminal Code. A person who performs bank transfers by using forged or false documents will be held liable under Art. 250 of the Criminal Code. The above provisions would apply to ID theft incidents involving stealing payment instruments credentials and usage of false identity for the purposes of using someone else’s payment instruments. Prescribed sanction Apart from damages that the victim may receive in civil proceedings: • Violations of Art. 249, para. 1 can be criminally sanctioned with fines of double amount of the received sum and with imprisonment between 2 and 8 years. • Violations of Art. 249, para. 3 or 4 can be criminally sanctioned with fines of double amount of the received sum and with imprisonment between 1 and 8 years. • Violations of Art. 250 can be criminally sanctioned with fines of double amount the respective bank transfer and with imprisonment between 1 and 10 years. Application in practice 179 RAND Europe National Profiles In the sections below, we will examine if/how these regulations are applied in practice, including the identification of any known case law and resulting sanctions. Claiming a false identity onon-line (eg, (eg, creating an account on a social networking site such as Facebook under someone else’s name) Applicable law(s) Such an incident would likely involve: - violation of data protection laws, since personal data of the victim would likely be unlawfully processed to make the false identity believable (eg, publication of the victim's name, address, photo, etc.); - violation of communication secrecy laws, if the false profile results in messages being sent to the false profile which were intended for the real recipient; - computer-related forgery, the creation or the usage of the false profile is related to any unauthorized entering, change, deletion or erasure of computer data if the respective false profile is used for appropriating property; - fraud and/or computer-related fraud, if the false identity was used to unlawfully appropriate property. Case law available? No known case law. Unlawfully Unlawfu lly using another person’s credentials (eg, (eg, using someone else’s username or password to send emails emails in his/her name) Applicable law(s) Most of the qualifications above could apply, depending on how the credentials were used: - violation of the data protection act, since the credentials are likely to be considered personal data which is being unlawfully processed; - violation of communication secrecy laws, if use of the credentials can be qualified as unlawful access to data related to electronic communication, to access electronic communications content or to diverts these communications from their actual addressee; - fraud and/or computer-related fraud, if falsified messages were sent to unlawfully appropriate property; - illegal access to information systems, if the credentials were used to access a system without authorisation - illegal usage of a payment instrument or data from a payment instrument without the consent of its owner, if the credentials 180 RAND Europe National Profiles concern such a payment instrument or were used for the creation of such false payment instrument; also if the credentials and the respective false identity were used for performing bank transfers. Case law available? Several cases are known, specifically in relation to: unlawful obtaining data related to third party’s bank cards by using special technical means; reproduction of false plastic copies of bank cards by using unlawfully obtained data regarding such bank cards and respectively, usage of someone else’s bank card or a plastic copy of such a card. In Case No 159 of 2007 the Bourgas Regional Court found the accused guilty of using another person’s debit card without his knowledge or approval. In Case No 291 of 2009 before the Sofia Court of Appel the accused made and used plastic copies of real credit cards containing all necessary information to make a bank transfer and were found guilty of using these cards. Phishing (using emails emails and/or falsified websites to trick users into giving up identity information, eg, to collect enough information to log log on to someone else’s bank account) Applicable law(s) The act of phishing itself (independent from what the perpetrator would do with the stolen information) would likely be: - a violation of the data protection act, since the credentials are likely to be considered personal data which is being unlawfully processed; - violation of communication secrecy laws, if the collection of the credentials can be qualified as unlawful access to traffic data or other data which may reveal the content of the electronic communication; - fraud and/or computer-related fraud, if falsified messages were sent to unlawfully appropriate property; - illegal data interference, if the act of phishing involved entering, changing or deleting information in a computer system without authorisation (eg, in order to falsify a website) or installation of a computer virus or another computer program in a third party’s computer system without authorization. Case law available? No known case law. Using spyware to obtain identity information informat ion (eg, (eg, installing a computer programme that records which usernames and passwords are used and communicates these to a 181 RAND Europe National Profiles hacker) Applicable law(s) The act of using the spyware itself (independent from what the perpetrator would do with the stolen information) would likely be: - a violation of the data protection act, since the credentials are likely to be considered personal data which is being unlawfully processed; - violation of communication secrecy laws, if the collection of the credentials can be qualified as unlawful access to data which may reveal the content of electronic communications; - illegal access to information systems, since installing the spyware is likely a violation of access rights; - illegal data interference, since installing the spyware likely involves installing software on the victim’s information system without authorisation. Case law available? Criminal Code provides that the installation in a computer system without authorisation of any computer programme intended to gather, to erase, to delete, to change or to copy computer data is a crime. The respective provisions however, have not yet been applied in practice. Case law exists, however, regarding the use of a method for obtaining identity information and credentials by using a combination of hardware and software. In Case No 337 of 2008 of the Bourgas Regional Court the court found the accused guilty of mounting a special technical device on an ATM device, through which he had acquired information contained in bank cards used on that ATM. Trafficking in unlawfully obtained personal information (eg, (eg, selling databases of email addresses to email marketeers) Applicable law(s) The act of trafficking in unlawfully obtained information would likely be: - a violation of the data protection act, since the personal information would be unlawfully processed; - a violation of communication secrecy laws, if the personal information contained traffic data or data which may reveal the content of electronic communications - illegal dissemination of information which dissemination is prohibited by law; 182 RAND Europe National Profiles - illegal dissemination or disclosure of passwords or codes for access to computer system which leads to disclosure of personal data or state or other protected by law secret if the trafficked data contains such details. Case law available? Yes. In Case No 25 of 2008 the Sliven Military Court found the defendant guilty of disclosing personal data (including names, personal identification numbers, addresses, and photos) belonging to a group of natural persons, to a single natural person who was not entitled to access the data. Copy of the decision could be found here: http://www.rsslivnitza.org/acts.html?filter=filter&filters[case_number]=284&filt ers[case_year]=2007&filters[ingoing_number]=&commit=%D0% A2%D1%8A%D1%80%D1%81%D0%B8 Claiming false identity – nonnon-electronically (eg, using someone else’s ID documents or false ID documents or forgery of ID documents) documents) Applicable law(s) The act of claiming non-electronically false identity would likely be: - a violation of the data protection act if the personal information have been unlawfully processed (for creation of false documents); - forgery of official documents if such have been changed; - fraud or documentary fraud if the false identity was used to unlawfully appropriate property. Case law available? In Case No 284 of 2007 the Slivnitza District Court found the defendant guilty for using another person’s valid identification document (passport) with the purpose to deceive the bodies of the customs administration and create the false belief that she is the person to whom the passport belongs. In Case No 37 of 2006 of the Sofia Military Court the court found the accused guilty for using a forged passport when trying to cross the state border. The passport had not been entirely created by the criminal. It had been legally issued to another person, but after that illegal changes had been introduced to its contents, which was enough for it to be considered counterfeit. In Case No 1278 of 2007 before the Kazanlak District Court the defendant was found guilty of fraud under. He created entirely unauthentic documents – an invoice and a sale contract and then used them to prove the existence of a contract between a certain natural person and a legal entity. 183 RAND Europe National Profiles ID theft reporting mechanisms Official website for combat against cybercrimes To facilitate the reporting and effective follow-up of Internet-based crime and, in particular, of phishing, a site under the control of the law enforcement department competent for investigation of cybercrimes with the Bulgarian Ministry of the Interior was established (http://www.cybercrime.bg/index.html). The site acts as a single contact point through which Internet-based crime incidents (eg, phishing) can be reported using standardised form with interface available in Bulgarian. Anonymous reports are possible. The website allows submission of description of the respective incident and email contact for feedback (it is not mandatory). This website also contains useful and comprehensible information on some cybercrimes, including on the risk of ID theft incidents on the Internet and how citizens can protect themselves against such attacks. Other sites Apart from the above specialized website, the website of the Bulgarian Personal Data Protection Commission (http://www.cpdp.bg/?p=pages&aid=6) allows online submission of any complaints related to any violation of data protection legislation. For submitting valid complaint a name, valid email and address are required. On the basis of such an online complaint the Commission initiates respective inspection which may end up with obligatory prescriptions to the data controller that has violated the law or even with imposing a sanction. Personal assessment of the framework for combating ID theft Globally, it seems that the legal framework for combating ID theft incidents in Bulgaria is sufficiently comprehensive as there do not appear to be any examples of ID theft incidents which are not covered under present legislation. The establishment of a contact point for reporting cybercrimes in general (the aforementioned website for combat against cybercrimes) can also be considered as a positive development. Nonetheless, there are a few weaknesses. Firstly, the above mentioned website is not subject to update or further development. Also, it is not very well promoted among the public. In practice, victims of ID thefts are still required to go through official channels (ie, registering a complaint with local police offices). Secondly, the investigation of incidents remains complicated in practice, especially in cross border cases. Numerous cases cannot end up with effective sentence because of significant 184 RAND Europe National Profiles mistakes and procedural infringements during the investigation and the collection of evidence. Also, even when clear evidence of an ID theft incident can be found (eg, a fake profile on a social networking website through which false information is being spread), it can often prove difficult to convince the website operators to take the offending information off-line, and even harder to obtain information from the operator that would make it possible for the victim to protect his/her privacy (eg, IP addresses or mail addresses used by the offender). In practice, this appears to be the main challenge to combating ID theft incidents. The reason is that there is no regulation focused specifically on the online ID theft incidents which are not related to a fraud or other mercenary purpose but result only in moral damages. Such cases are not treated as crimes and respectively are not subject to criminal investigation. In this respect such violations can be sanctioned only as administrative infringements regardless how serious are their consequences for the privacy and for the intimate life of the victim. Also, since such actions are not crimes the options for obtaining information about the perpetrator are limited and respectively. The further development of the penal legislation and introduction of specific provisions in this context seems more and more topical with a view to the rising popularity of the social networks. 185 RAND Europe National Profiles Canada Laws focusing explicitly on ID theft On the 31st of March 2009 the Act to amend the Criminal Code (identity theft and related misconduct), Bill S-4,106 was introduced in the Canadian Senate. With its coming into force on the 8th of January 2010, the bill, which – with a few additional offences - covers the same provisions already proposed in 2007 by Bill C27,107 has amended the Criminal Code to cover identity-related crimes. In particular the bill aims to close the gap with respect to certain activities not previously covered by other provisions of the Criminal Code, such as preparatory activities.108 Other laws that may apply to ID theft incidents Privacy protection and data protection legislation There are some central federal laws regulating privacy and data security, the most important of which we are going to present below. However, given the federal structure of Canada, there are also several privacy laws implemented at state and province level. Ontario for example has the Ontario ‘Freedom of Information and Protection of Privacy Act,’109 the ‘Municipal Freedom of Information and Protection of Privacy Act,’110 and the ‘Personal Health Information Protection Act,’111 Additional information on the individual state level legislation can be found on the website of the Information and Privacy Commissioner of Ontario.112 A new law, Bill C-27: Electronic Commerce Protection Act (ECPA), was proposed in 2009, but it has not been reintroduced.113 The ECPA would 106 S-4 An Act to amend the Criminal Code (identity theft and related misconduct), 40th Parliament - 2nd Session (Jan. 26, 2009-Dec. 30, 2009). Available at: http://www2.parl.gc.ca/Sites/LOP/LEGISINFO/index.asp?Language=E&Session=22&query=5778&List=toc 107 Bill C-27, 39th Parliament 2nd Session, introduced in Parliament November 21, 2007. Available at: http://www2.parl.gc.ca/Sites/LOP/LEGISINFO/index.asp?Language=E&query=5333&Session=15&List=toc. 108 Legislative Summary of the Bill S-4: An Act to Amend the Criminal Code (Identity Theft and Related Misconducts), 2009. Available at: http://www2.parl.gc.ca/Sites/LOP/LEGISINFO/index.asp?Language=E&query=5778&Session=22&List=ls 109 Available at: http://www.e-laws.gov.on.ca/html/statutes/english/elaws_statutes_90f31_e.htm 110 Available at: http://www.search.e-laws.gov.on.ca/en/isysquery/1385d774-050f-4aca-83c6e318d815c202/8/doc/?search=browseStatutes&context=#hit1 111 Available at http://www.e-laws.gov.on.ca/html/statutes/english/elaws_statutes_04p03_e.htm 112 See: http://www.ipc.on.ca/english/Resources/Legislation/Legislation-Summary/?id=453 113 Bill C-27: Electronic Commerce Protection Act (2nd Session of the 40th Parliament). Available at: http://www2.parl.gc.ca/Sites/LOP/LegislativeSummaries/Bills_ls.asp?lang=E&ls=c27&source=library_prb&Par l=40&Ses=2 186 RAND Europe National Profiles have provided the regulation (including administrative monetary penalties), with respect to spam and related threats such as identity theft, phishing, spyware, and viruses. Additional, the ECPA would have granted a right of civil action to businesses and consumers targeted by the perpetrators of such activities. Data protection law (regarding the collection, use, and disclosure of individual data by organizations) Relevant law Personal Information Protection and Electronic Documents Act (PIPEDA) Reference See http://laws.justice.gc.ca/en/P-8.6/ Main provisions in PIPEDA applies to organizations, and their collection, use or relation to ID theft disclose of personal information in the course of commercial activities.114 ‘Personal information’ is defined as ‘information about an identifiable individual’, other than ‘name, title or business address or telephone number of an employee of an organization.’ This definition includes email addresses that are traceable to the individual, as well as information that does not permit identification of an individual but relates to an identifiable individual (for instance, his or her shopping preference). Prescribed sanction Under PIPEDA, individuals can submit complaints to the Privacy Commissioner. The Commissioner has to conduct an investigation in response to such a complaint. She can however also launch an investigation on her own initiative. Subsequently, the Commissioner has the right to issue non-binding recommendations based on her findings. Following this step both, the individual or the Commissioner can seek legal enforcement at a Federal Court. The court is entitled to order corrective practices, publication of the notice regarding corrective practices, damages (incl. for humiliation), and other remedies. Data protection law (regarding the collection, use, and disclosure of individual data by the government) Relevant law Privacy Act Reference See http://laws.justice.gc.ca/en/P-21/index.html Main provisions in This Act aims to protect the privacy of individuals with respect to personal information about them that is held by a government 114 Given Alberta, British Columbia, Quebec, as well as Ontario (with respect to personal health information) have enacted equivalent privacy laws, PIPEDA does in general not apply to these jurisdictions 187 RAND Europe relation to ID theft National Profiles institution, and it regulates the individuals’ right of access to that information. ‘Personal information’ is defined as ‘information about an identifiable individual that is recorded in any form’, and includes amongst others ‘a) information relating to the race, national or ethnic origin, colour, religion, age or marital status of the individual, (b) information relating to the education or the medical, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved, (c) any identifying number, symbol or other particular assigned to the individual, (d) the address, fingerprints or blood type of the individual, (e) the personal opinions or views of the individual except where they are about another individual or about a proposal for a grant, an award or a prize to be made to another individual by a government institution or a part of a government institution specified in the regulations, (f) correspondence sent to a government institution by the individual that is implicitly or explicitly of a private or confidential nature, and replies to such correspondence that would reveal the contents of the original correspondence,’ Without the consent of the respective individual, the government entity holding personal information is not allowed to disclose the information. Exceptions are established by the Act in section 8(1) and include amongst others the case where another legislative act authorizes such disclosure, or if it is requested by a subpoena or warrant issued or order made by a court, to the Attorney General of Canada for use in legal proceedings involving the Crown in right of Canada or the Government of Canada. According to the act every government institution has to make sure that personal information about an individual is included in the institution’s personal information bank(s). Section 12. (1) finally grants the individual right of access to ‘(a) any personal information about the individual contained in a personal information bank; and (b) any other personal information about the individual under the control of a government institution with respect to which the individual is able to provide sufficiently specific information on the location of the information as to render it reasonably retrievable by the government institution.’ Prescribed sanction sanction Under section 41 of the Privacy Act, an individual may request a hearing before the Federal Court of Canada only in relation to a refusal by a government institution to provide an individual access to his or her personal information held by the government institution about which a complaint was made to the Privacy 188 RAND Europe National Profiles Commissioner of Canada. Criminal law Identity theft Relevant law Criminal Code Reference See http://www2.parl.gc.ca/Sites/LOP/LEGISINFO/index.asp?Langu age=E&Session=22&query=5778&List=toc, and http://www2.parl.gc.ca/Sites/LOP/LEGISINFO/index.asp?Langu age=E&Chamber=N&StartList=A&EndList=Z&Session=22&Ty pe=0&Scope=I&query=5778&List=toc-1 Main provisions in Section 402 is the central identity theft provision. It criminalizes relation to ID theft everyone who: knowingly obtains or possesses another person’s identity information in circumstances giving rise to a reasonable inference that the information is intended to be used to commit an indictable offence that includes fraud, deceit or falsehood as an element of the offence. transmits, makes available, distributes, sells or offers for sale another person’s identity information, or has it in their possession for any of those purposes, knowing that or being reckless as to whether the information will be used to commit an indictable offence that includes fraud, deceit or falsehood as an element of the offence. ‘Indictable offence’ refers to any of the following: (a) section 57 (forgery of or uttering forged passport); (b) section 58 (fraudulent use of certificate of citizenship); (c) section 130 (personating peace officer); (d) section 131 (perjury); (e) section 342 (theft, forgery, etc., of credit card); (f) section 362 (false pretence or false statement); (g) section 366 (forgery);(h) section 368 (use, trafficking or possession of forged document); (i) section 380 (fraud); and (j) section 403 (identity fraud). ‘Identity information’ is defined as information ‘commonly used alone or in combination with other information to identify or purport to identify an individual.’ Examples for such information are: name, address, date of birth, written, electronic or digital signature, Social Insurance Number, health insurance or driver’s licence number, credit or debit card number, number of an account at a financial institution, passport number, user code, password, fingerprint or voice print, retina or iris image, or DNA 189 RAND Europe National Profiles profiles. Prescribed sanction This is a hybrid offence115 for which the Criminal Code foresees two alternatives, prosecution as a) an indictable offence with imprisonment of no more than 5 years, or b) a summary conviction punishable by a fine of no more than $5000 or six months of jail, or both. Additionally, subsection 738(1)(d) enables the court to order the offender - as part of the sentence - to pay restitution (covering expenses incurred to re-establish the identity, including expenses to replace the identity documents and to correct the credit history and credit rating) to a victim. Identity fraud Relevant law Criminal Code Reference See http://laws.justice.gc.ca/eng/C-46/page-2.html Main provisions in Section 403 of the Criminal Code criminalizes any fraudulent relation to ID theft impersonation of a person (living or dead) with the intent to a) gain any advantages for oneself or another person, b) obtain property or an interest in a property, c) cause a disadvantage to another person, or d) avoid arrest or prosecution, or obstruct, pervert or defeat the course of justice. This provision covers also identity-related crimes of non-economic nature, but does not extent to the fraudulent use of a fictitious identity. Prescribed sanction This is a hybrid offence for which the Criminal Code foresees two alternatives, prosecution as a) an indictable offence with imprisonment of no more than 10 years, or b) a summary conviction punishable by a fine of no more than $5000 or six months of jail, or both. Additionally, subsection 738(1)(d) enables the court to order the offender - as part of the sentence to pay restitution (covering expenses incurred to re-establish the identity, including expenses to replace the identity documents and to correct the credit history and credit rating) to a victim. 115 Canadian criminal law groups offences in three different prototypes a) summary conviction offences, which are minor offences, that are – unless a different penalty is specified – punished by a fine of no more than $5000, or six months of jail, or both; b) indictable offences, which are more serious and where the offender is in general entitled to a trial by jury, and c) hybrid offences, that can be prosecuted either as summary convictions or indictments. In the latter case the Crown can decide on the mode of prosecution. See: http://www.defencelaw.com/classification.html 190 RAND Europe National Profiles Unlawfully ordering, possessing, or trafficking of identity documents Relevant law Criminal Code Reference See http://laws.justice.gc.ca/eng/C-46/page-2.html Main provisions in Section 56.1(1) criminalizes everyone who without a lawful relation to ID theft reason procures to be made, possesses, transfers, sells or offers for sale an identity document that relates or purports to relate, in whole or in part, to another person. Identity document is defined as Social Insurance Number card, a driver’s licence, a health insurance card, a birth certificate, a death certificate, a passport, a document that simplifies the process of entry into Canada, a certificate of citizenship, a document indicating immigration status in Canada, a certificate of Indian status or an employee identity card that bears the employee’s photograph and signature, or any similar document, issued or purported to be issued by a department or agency of the federal government or of a provincial or foreign government. Prescribed sanction This is a hybrid offence for which the Criminal Code foresees two alternatives, prosecution as a) an indictable offence with imprisonment of no more than 5 years, or b) a summary conviction punishable by a fine of no more than $5000 or six months of jail or both. Forgery Relevant law Criminal Code Reference See http://laws.justice.gc.ca/eng/C-46/page-6.html Main provisions in Section 366 criminalizes the making of a false document, as well relation to ID theft as the altering of a genuine document with the intent that it is treated as a genuine document by someone else. Prescribed sanction Forgery is a hybrid offence for which the Criminal Code foresees two alternatives, prosecution as a) an indictable offence with imprisonment of no more than 10 years, or b) as a summary conviction punishable by a fine of no more than $5000 or six months of jail, or both. Use, trafficking or possession of forged document Relevant law Criminal Code Reference http://laws.justice.gc.ca/eng/C-46/page-6.html Main provisions in Section 368. (1) criminalizes everyone who, knowing or believing 191 RAND Europe relation to ID theft National Profiles that a document is forged, (a) uses, deals with or acts on it as if it were genuine; (b) causes or attempts to cause any person to use, deal with or act on it as if it were genuine; (c) transfers, sells or offers to sell it or makes it available, to any person, knowing that or being reckless as to whether an offence will be committed under paragraph (a) or (b); or (d) possesses it with intent to commit an offence under any of paragraphs (a) to (c). Prescribed sanction This is a hybrid offence for which the Criminal Code foresees two alternatives, prosecution as a) an indictable offence with imprisonment of no more than 10 years, or b) a summary conviction punishable by a fine of no more than $5000 or six months of jail or both. Instruments for copying credit card data or forging or falsifying credit cards Relevant law Criminal Code Reference Reference See http://laws.justice.gc.ca/eng/C-46/page-6.html Main provisions in Section 342.01 criminalizes everyone who without lawful relation to ID theft justification makes, repairs, buys, sells, exports from Canada, imports into Canada or possesses any instrument, device, apparatus, material or thing that they know has been used or know is adapted or intended for use (a) in the copying of credit card data for use in the commission of an offence under subsection 342(3); or (b) in the forging or falsifying of credit cards. Prescribed sanction This is a hybrid offence for which the Criminal Code foresees two alternatives, prosecution as a) an indictable offence with imprisonment of no more than 10 years, or b) a summary conviction punishable by a fine of no more than $5000 or six months of jail or both. Theft, forgery, etc. of credit cards [the definition of credit cards includes also debit cards] Relevant law Criminal Code Reference See http://laws.justice.gc.ca/eng/C-46/page-2.html Main provisions in Section 342. (1) covers the unauthorized collection, possession and trafficking of credit (including debit) cards. Specifically it 192 RAND Europe National Profiles relation to ID theft criminalizes everyone who: steals a credit card, forges or falsifies a credit card, possesses, uses or traffics in a credit card or a forged or falsified credit card, knowing that it was obtained, made or altered, by the commission of an act that would be an offence in Canada, or uses a credit card knowing that it has been revoked or cancelled. Prescribed sanction This is a hybrid offence for which the Criminal Code foresees two alternatives, prosecution as a) an indictable offence with imprisonment of no more than 10 years, or b) a summary conviction punishable by a fine of no more than $5000 or six months of jail or both. Unauthorized use of credit card data Relevant law Criminal Code Reference See http://laws.justice.gc.ca/eng/C-46/page-6.html Main provisions in Section 342(3) criminalizes everyone who, ‘fraudulently and relation to ID theft without colour of right, possesses, uses, traffics in or permits another person to use credit card data, including personal authentication information, whether or not the data is authentic, that would enable a person to use a credit card or to obtain the services that are provided by the issuer of a credit card to credit card holders.’ ‘Personal authentication information’ is defined as a ‘personal identification number or any other password or information a credit card holder creates or adopts to be used to authenticate his or her identity in relation to the credit card’ Prescribed sanction This is a hybrid offence for which the Criminal Code foresees two alternatives, prosecution as a) an indictable offence with imprisonment of no more than 10 years, or b) a summary conviction punishable by a fine of no more than $5000 or six months of jail or both. Theft from mail Relevant law Criminal Code Reference See http://laws.justice.gc.ca/eng/C-46/page-6.html Main provisions in Section 356(6) criminalizes everyone who, steals anything sent by relation to ID theft post, possesses anything that he knows was stolen while sent by mail, or makes, possesses, or uses a copy of a key for a Canadian Post mailbox or another key with the intent to commit a mailrelated offence, as well as the theft of such a key, or the 193 RAND Europe National Profiles fraudulently redirection of anything sent by post. Prescribed sanction This is a hybrid offence for which the Criminal Code foresees two alternatives, prosecution as a) an indictable offence with imprisonment of no more than 10 years, or b) a summary conviction punishable by a fine of no more than $5000 or six months of jail or both. Unauthorized Unauthorized use of computer Relevant law Criminal Code Reference See http://laws.justice.gc.ca/eng/C-46/page-2.html Main provisions in Section 342.1(1) covers the unauthorized collection, possession relation to ID theft and trafficking of computer passwords. Specifically it criminalizes everyone who ‘fraudulently and without colour of right: (a) obtains, directly or indirectly, any computer service, (b) by means of an electro-magnetic, acoustic, mechanical or other device, intercepts or causes to be intercepted, directly or indirectly, any function of a computer system, (c) uses or causes to be used, directly or indirectly, a computer system with intent to commit an offence under paragraph (a) or (b) or an offence under section 430 [mischief] in relation to data or a computer system, or (d) uses, possesses, traffics in or permits another person to have access to a computer password that would enable a person to commit an offence under paragraph (a), (b) or (c)’ Prescribed sanction This is a hybrid offence for which the Criminal Code foresees two alternatives, prosecution as a) an indictable offence with imprisonment of no more than 10 years, or b) a summary conviction punishable by a fine of no more than $5000 or six months of jail or both. Possession of device to obtain computer service Relevant law Criminal Code Reference See http://laws.justice.gc.ca/eng/C-46/page-2.html Main provisions in Provision 342.1(2) covers the creation, possession and trafficking relation to ID theft of devices to obtain computer services. Specifically, it criminalizes everybody who, ‘without lawful justification or excuse, makes, possesses, sells, offers for sale or distributes any instrument or device or any component thereof, the design of which renders it 194 RAND Europe National Profiles primarily useful for committing an offence under section 342.1 [unauthorized use of computer], under circumstances that give rise to a reasonable inference that the instrument, device or component has been used or is or was intended to be used to commit an offence contrary to that section’ Prescribed sanction This is a hybrid offence for which the Criminal Code foresees two alternatives, prosecution as a) an indictable offence with imprisonment of no more than 2 years, or b) a summary conviction punishable by a fine of no more than $5000 or six months of jail or both. Fraud Relevant law Criminal Code Reference See http://laws.justice.gc.ca/eng/C-46/page-2.html Main provisions in Fraud in general is punished by Section 380(1) of the Criminal relation to ID theft Code. This provision sanctions any act of using deception to appropriate someone else’s property, or to put that person at risk of such a deprivation. This provision covers identity-related crimes that have the purpose of gaining economic benefits, but not such that are aiming at non-financial benefits (such as evasion of police detection). Prescribed sanction Violations of section 380(1) is punished depending on the value of the economic benefit obtained by the fraudulent act. If the value is less than $5000, the law treats it as a hybrid offence and foresees two alternatives, prosecution as a) an indictable offence with imprisonment of no more than 2 years, or b) as a summary conviction punishable by a fine of no more than $5000 or six months of jail or both. If the economic benefit gained exceeded $5000 the act is prosecuted as an indictable offence and the punishment is imprisonment of no more than 14 years. Drawing document without authority, etc. Relevant law Criminal Code Reference See http://laws.justice.gc.ca/eng/C-46/page-6.html Main provisions in Section 374 criminalizes anybody who: ‘(a) with intent to relation to ID theft defraud and without lawful authority makes, executes, draws, signs, accepts or endorses a document in the name or on the account of another person by procuration or otherwise, or (b) makes use of or utters a document knowing that it has been made, executed, signed, accepted or endorsed with intent to 195 RAND Europe National Profiles defraud and without lawful authority, in the name or on the account of another person, by procuration or otherwise’ Prescribed sanction This offence is indictable and punishable with no more than 14 years of imprisonment. False pretence of false statement Relevant law Criminal Code Reference See http://laws.justice.gc.ca/eng/C-46/page-6.html Main provisions in Section 362 criminalizes mainly anybody who by a false pretence, relation to ID theft obtains anything in respect of which the offence of theft may be committed, or obtains credit by a false pretence or by fraud. Prescribed Prescribed sanction The general punishment if the value obtained exceeds $5000 is imprisonment for not more than ten years (in this case the offence is indictable). In the case where the value obtained is less than $5000 the offence can be treated as indictable with imprisonment for no more than two years, or as a summary conviction punishable by a fine of no more than $5000 or six months of jail or both. Application in practice Given the Act to amend the Criminal Code (identity theft and related misconduct) has only come into force in the beginning of 2010, one will have to see how these new provisions are going to be applied over time. In the sections below, we however, to the extent possible examine how the wider set of regulations might be applied in practice. Claiming a false identity onon-line (eg, (eg, creating an account on a social networking site such as Facebook under someone else’s name) Applicable law(s) Such an incident would likely at least involve: Identity theft (section 402) if another’s identity is used knowingly, and with the intention of committing an indictable offence (eg, 403). Identity fraud (Section 403) if the offender takes on the false identity with the intent to use this account to gain any advantage (also of non-economic nature), or cause a disadvantage to the person who’s name is used. Fraud (section 380(1)) if the purpose of the deception is to gain economic benefit. 196 RAND Europe Case law available? National Profiles No new case law known Unlawfully using another person’s credentials (eg, (eg, using someone else’s username username or password to send emails emails in his/her name) Applicable law(s) Such an incident would likely at least involve: Unauthorized use of computer (section 342.1(1)) if the use, or possession of computer passwords is involved. Identity theft (section 402) if another’s identity is used knowingly, and with the intention of committing an indictable offence (eg, 403). Identity fraud (Section 403) if the intent is to use this account to gain any advantage (also of non-economic nature), or cause a disadvantage to the person who’s name is used. Fraud (section 380(1)) if the purpose of the deception is to gain economic benefits. Case law available? No new case law known. Phishing (using emails emails and/or falsified websites to trick users into giving up identity information, information, eg, to collect enough information to log on to someone else’s bank account) Applicable law(s) Such an incident would likely at least involve: Data privacy law as established in PIPIDA if the emails are sent by an organization to an individual who did not consent to receive that email. Identity theft (section 402) if the offender obtains the identity information with the intention of committing an indictable offence (eg, 403). Identity fraud (Section 403) if the offender claims in his email to be another person with the intention to gain any advantage (also of non-economic nature), or cause a disadvantage to the person who’s name is used. Unauthorized use of computer (section 342.1(1)) if the use, or possession of computer passwords is involved (mere phishing without using someone else’s password or obtaining other peoples passwords is however not covered by this section). Fraud (section 380(1)) if the purpose of the deception is to gain economic benefit. Trade-mark Act if the domain name of another company is 197 RAND Europe National Profiles claimed this might. Case law available? A case where an Ontario-based spammer used a ficticious Amazon webpage was settled before defence filed [Amazon.com Inc. v. 1505820 Ontario Inc., c.o.b. Natural Grains Deli and Catering (Statement of Claim filed August 25, 2003 in Ontario Superior Court of Justice)] No new case law known. Using spyware to obtain identity information (eg, (eg, installing a computer programme that records which usernames and passwords are used and communicates these to a hacker) Applicable Applicable law(s) Such an incident would likely involve: Identity theft (section 402) if the obtained personal information is intended to be used to commit an indictable offence (eg, 403). Identity fraud (Section 403) if the intent is to use the personal information to gain any advantage (also of non-economic nature), or cause a disadvantage to the person who’s name is used. Unauthorized use of computer (section 342.1(1)) as it covers the unauthorized collection and possession of computer passwords. Possession of device to obtain computer services (section 342.1(2)) which covers the use of spyware and hacking tools. Case law available? No new case law known. eg, selling databases of Trafficking in unlawfully obtained personal information ((eg, email addresses to email marketeers) Applicable law(s) Such an incident would likely involve: Identity theft (section 402) if the trafficker were reckless about to whether the information will be used to commit an indictable offence that includes fraud, deceit or falsehood. If the database would not consist of email addresses but credit card data (incl. personal authentication information) this could also trigger Section 342(3) that criminalizes the unauthorized use of credit card data. If the database would contain computer passwords, section 341.1(1) unauthorized possession and trafficking of such. 198 RAND Europe National Profiles If the email addresses were collected by a company without the consent of the respective individuals, and the company intended to sell the database or use it for marketing purposes, this is likely to violate PIPEDA, given under this act email addresses are considered ‘personal information’. Private rights of action can be found in numerous Canadian statutes, ranging from provincial consumer protection laws like (Ontario's Consumer Protection Act, 2002, S.O.2002, c.30, ss.14-18) Case law available? With respect to the question of unsolicited email for marketing purposes sent to email addresses obtained without the consent of the individual, the Privacy Commissioner decided that in accordance with (Section 2; Principles 4.3; paragraphs 7(1)(d) and 7(2)(c.1); and Principles 4.1 and 4.1.3) the collection of email addresses on public websites (eg, the employer’s homepage) violates privacy protection rules. The company was asked to change its business practices, and followed the request.116 No new case law known. Using falsified identity documents (identity cards, social security cards or passports) to unlawfully apply for social benefits Applicable law(s) This would likely at least allow for the application of the following statutes: Identity theft as the offender possesses another person’s identity information with the intention to commit an offence (Section 402 ) Identity fraud given the offender impersonates another person to gain financial benefits (Section 403) Forgery if the offender made or altered the document himself (Section 366). Use of a forged document as the offender will use the false document as if it were genuine (Section 368(1)) Fraud (section 380(1)) given the purpose of the deception is to gain economic benefit. Drawing document without authority (section 374) if in the process a document is signed with the name of another person. 116 Case Summary #2005-297 available at http://www.priv.gc.ca/cf-dc/2005/297_050331_01_e.cfm 199 RAND Europe National Profiles If this act were to involve using a forged security card, or someone else’s security card (in Canada this is the Social Insurance Number SIN card), section 141(1) of the Employment Insurance Act117 would also be relevant. This provision makes it an offence to a) knowingly apply for more than one SIN, b) use someone else's number to deceive and defraud, c) loan or sell a SIN or a SIN card to deceive or defraud, or d) manufacture a SIN card. The penalty is a fine of up to $1,000, imprisonment for up to one year, or both. Case law available? No new case law known. ID theft reporting mechanisms Reporting site There is no one-stop-shop mechanisms in place for reporting ID theft-related crimes in Canada; rather there are several points of information on fraudulent activities in general (including identity theft) and a few that specifically target identity theft. These usually provide information on how to prevent identity theft, and what to do in case of becoming a victim of identity theft and related crimes. When dealing with identity theft, these websites regularly do not differentiate between online and offline. Some of these websites have hotlines in place to get guidance on the phone, or complaint forms online to report fraudulent activities and/or identity theft. These websites and hotlines are operated by a range of different entities, including Canadian law enforcement agencies, ministries and other governmental entities, as well as non-for profit organizations. However, none of these hotlines/websites seems to coordinate the further process, rather they provide guidance on the steps to be taken after having become a victim, and raise awareness by providing information material to the public. A selection of these available resources is provided in the following paragraphs. Canadian Anti Fraud Center (http://www.phonebusters.com/) (formally known as PhoneBusters) Established in January of 1993, CAFC is jointly managed by the Royal Canadian Mounted Police, the Ontario Provincial Police, and the Competition Bureau of Canada. Besides educating the public on specific fraudulent schemes, it provides a call center for victims of fraud (including ID theft) where they can receive guidance on what to do. It is the central agency in Canada to collect information on identity theft complaints. While it does not conduct any investigations, it makes information available to outside law 117 Employment Insurance Act, S.C. 1996, c. 23. Available at: http://www.servicecanada.gc.ca/eng/ei/legislation/ei_act_jan2010_e.pdf 200 RAND Europe National Profiles enforcement agencies, and provides assistance to these. It collects statistics and makes tham publicly available. Reporting Economic Online (https://www.recol.ca/intro.aspx?lang=en) Crime (RECOL) RECOL is an initiative of international, federal and provincial law enforcement agencies, regulators and private commercial organizations. It provides a complaint mechanism, information material on how to prevent oneself from becoming a victim, as well as trends and statistics on economic fraud. One of the subsections is dedicated to identity theft and how to safeguard from becoming a victim. Canada’s Office of Consumer Affairs (OCA) (http://www.ic.gc.ca/eic/site/ocabc.nsf/eng/h_ca02226.html ) OCA has a website on Privacy&Identity Protection that links up to the identity theft kit for consumers developed by the Consumer Measures Committee (http://cmcweb.ca/eic/site/cmc-cmc.nsf/eng/fe00084.html), which had been created under Chapter Eight of the Agreement on Internal Trade (AIT), and served as a federalprovincial-territorial forum for national cooperation to improve the marketplace for Canadian consumers, through harmonization of laws, regulations and practices and through actions to raise public awareness. The CMC had also developed an identity kit for businesses. These kits combine information on how to find out if one has become a victim of identity theft, how to reduce the risk of such an event, and what to do in case of identity theft. Public Safety eng.aspx) Canada (http://www.publicsafety.gc.ca/prg/le/bs/consumers- The Canadian Ministry of Public Safety has a special website on identity theft that provides general information on this crime, and advice for consumers on how to prevent becoming a victim of identity theft and what to do if they become victims. Royal Canadian Mounted Police (RCMP) (http://www.rcmp-grc.gc.ca/scamsfraudes/id-theft-vol-eng.htm) Within its Fraud and Scam website, the Royal Canadian Mounted Police has a subsection on identity theft that provides a definition in accordance with the recently introduced law, recommendations on how to prevent identity theft and on the steps to undertake if becoming a victim of identity theft. The Office of the fi/02_05_d_10_e.cfm) Privacy Commissioner (http://www.priv.gc.ca/fs- The Office of the Privacy Commissioner provides a factsheet on identity theft on its website that informs the public what they can do to fight identity theft and what actions to take in case they become victims of identity theft. Canadian Council of (http://www.bbb.org/canada/) Better 201 Business Bureaus (BBB) RAND Europe National Profiles The BBB is a private, non-profit organization that aims to ‘monitor and report marketplace activities to the public.’ It provides a fraud reporting website, and provides information on market place fraud via its publications. BBB has no legal mandate but according to its website, it ‘work closely with local, state, and federal law enforcement agencies, providing them with valuable information on potentially fraudulent activities.’ Heads Up Fraud Prevention Association (http://www.heads-up.ca/) Is a program integrated in the Alberta Police Service. Its aim is to develop and provide fraud prevention information in relation to fraud-related activities both on and off the Internet to the public. One of the key areas of its work is ID theft. The Canadian Bankers Association (http://www.cba.ca/index.php?option=com_content&view=article&catid=42&id= 60&Itemid=55&lang=en) The CBA also provides a website with information on the current identity theft regulation, and recommendation on how to prevent identity. Personal assessment of the framework for combating ID theft In the light of the federal structure that provides in certain relevant areas for decentralized layers of applicable regulation in addition to the federal level (eg, data privacy regulation), it has to be cautioned that the assessment of the most important legislation on federal level can of course not provide an exhaustive picture. However, in particularly taking in account the most recent amendments of the criminal code with respect to identity theft-related crimes, it seems that overall the legal framework for combating ID theft incidents in Canada is quite comprehensive. How effective the new provisions will be enforced remains however to be seen. Some possibility for improvement seems to exist with respect to the online environment in particularly when it comes to spam, that can foster phishing and other identity-related crimes. A comprehensive act, proposed in 2009, aimed to address this issue by covering regulation of the online environment with respect to spam and related threats (such as identity theft, phishing, spyware, viruses, and botnets). This act that would have provided an additional right of civil action, has however, not been enacted. While there is a broad range of information available online on how to prevent identity theft and what to do in case it happens, there is no one-stop shop point for reporting. Victims still have to report to the local law enforcement office, and contact several administrative agencies in to remedy the ID theft. 202 RAND Europe National Profiles China Applicable laws Laws focusing explicitly on ID theft There is no legislation in China that focuses explicitly on ID theft as a specific crime, or that defines such a crime. In practice, ID theft incidents are combated using the relevant provisions in a variety of laws (in relation to privacy protection, fraud, forgery of authority documents, etc.). No such legislation is currently under consideration to our knowledge, despite a couple of high-profile ID theft cases that have been tried by the courts under the relevant legal provisions. Other laws that may apply to ID theft incidents Tort Liability Laws applied to privacy breaches (侵权责任法 权责任法) 任法) Relevant law Law of 26 December 2006 formally recognizes privacy as a category of civil right in China. Reference See http://www.law-lib.com/law/law_view.asp?id=305260 Main provisions in Article 2 provides that tortuous liability arises upon the relation to ID theft infringement of ‘civil rights and interests,’ an extremely broad category that includes personal and property rights and interests such as the right to life, the right to health, rights associated with names, reputation rights, honorary rights, the right to one's image, the right to privacy, the right to marital autonomy, the right to guardianship, ownership rights, usufruct, collateral rights, copyrights, patent rights, exclusive rights to use trademarks, discovery rights, equity rights and inheritance rights. The provision for the first time expressly stipulates that there is a ‘right of privacy’ in China, but there is no further elaboration of precisely what this right consists of. Prescribed sanction As a general principle, a person will incur liability where he infringes upon another person's civil rights and interests and is at fault. The Law establishes the principal remedies that may be used, either independently or jointly, against an individual who commits a tort. Possible remedies include: * Requiring an individual or company to cease infringement (of civil rights); * Eliminating the risk caused by a person's tortuous conduct; 203 RAND Europe National Profiles * Removing the obstacle to the exercise of rights created by such conduct; * Returning property to the victim of a tort; * Restoring the state of affairs to what it was prior to commission of the tort; * Compensating the victim of the tort for damages suffered; * Making an apology; * Eliminating adverse effects; and/or * Restoring the injured party's reputation. Measures for the Administration of Protecting the Security of International Connections to Computer Information Networks (计算机信息系统国际联 算机信息系统国际联网安全保 统国际联网安全保护 网安全保护管理规 管理规定) Relevant law Measures enacted on 17 December 1997 Reference http://www.law-lib.com/law/law_view.asp?id=13628 Main provisions in Article 7 provides that the communication freedom and privacy relation to ID theft of network users is protected by law. No unit or individual may, in violation of these regulations, use the Internet to violate the communication freedom and privacy of network users. Prescribed sanction Violations are subject to administrative punishments stipulated by the relevant law. Measures for Administration of Email Service on the Internet (互联网电子邮件服务管理办法) Relevant law Measures enacted on 20 February 2006. Reference http://www.law-lib.com/law/law_view.asp?id=143610 Main provisions in Article 3 provides that citizens’ privacy of correspondence in relation to ID theft using Internet email services shall be protected by law. Unless the public security organ or prosecutorial organ makes an inspection on the contents of correspondence pursuant to the procedures prescribed by law and for the purpose of protection of national security or investigation of crimes, no organization or individual shall infringe upon any citizen’s privacy of correspondence on any pretext. Article 9 & 12 prohibits to use, sell, share, or exchange via the Internet email addresses of others obtained through online automatic collection, arbitrary alphabetical or digital combination or to send emails to the addresses obtained through the foregoing means. 204 RAND Europe Prescribed sanction National Profiles Violations are subject to fees up to RMB Yuan 10,000, or RMB Yuan 30,000 if illegal gains were acquired. Law for the Protection of Minors Minors (未成年人保护 未成年人保护法) Relevant law Law of 4 September 1991 , revised on 29 December 2006, protects the privacy of minors. Reference See http://www.law-lib.com/law/law_view.asp?id=184008 Main provisions in Article 39 of the Law forbids infringement against the privacy of relation to ID theft minors. Except for criminal investigations or supervision by guardians, no minors’ mails, diaries or emails shall be opened and read. Article 58 provides that with regard to cases involving crimes committed by minors, the names, home addresses and photos of such minors as well as other information which can be used to deduce who they are, may not be disclosed before the judgment in news reports, films, television programs and in any other openly circulated publications. Prescribed Prescribed sanction Acts infringing the privacy of minors, in serious circumstances, are subject to administrative punishment by police. Law on the Identity Card of Residents (居民身份 居民身份证法) Relevant law Law of 28 June 2003 protects the citizens’ privacy on Identity Cards. Reference See http://www.law-lib.com/law/law_view.asp?id=78264 Main provisions in Articles 15 & 19 of this Act provide that no organization or relation to ID theft individual has the right to check or retain a citizen’s identity card except for the police, who are required to keep confidential any personal data obtained from the identity cards. Article 17 & 18 forbid forging or otherwise altering a residence registration, or assuming another person’s registration. Prescribed sanction Police who disclose the citizens’ person information acquired through making, distributing, checking or confiscating the identity cards and damage the legitimate rights and interests of the citizens shall be subject to administrative punishment, or criminal penalties in serious circumstances. Acts of forging or otherwise altering a residence registration, or assuming another person’s registration are punishable by fines, detainment or penalties if circumstances are serious. 205 RAND Europe National Profiles Regulations on the Publication of Governmental Governmental Information (政府信息公开 政府信息公开条例) 条例 Relevant law Regulations on the Publication of Governmental Information were enacted on 5 April 2007. Reference See http://www.law-lib.com/law/law_view.asp?id=199898 Main provisions in Article 14 prohibits any administrative organ from publishing relation to ID theft certain governmental information that involves State secrets, trade secrets or personal privacy. Prescribed sanction An administrative organization that violates the privacy protection obligation is subject to administrative or criminal punishment. Criminal Law Criminal punishment of Privacy Infringement Relevant law The law of 1 July 1979 criminalizes privacy invasion. Reference See http://www.dffy.com/wz/zhaishow.asp?id=8064 Main provisions in Article 253bis, which was amended into the Criminal Code on relation to ID theft February 28, 2009, imposes criminal liability on persons who misappropriate personal information during the course of performing their professional duties. Both private sector and governmental agency personnel who misappropriate a citizen’s personal data are subject to the penalty. Prescribed sanction Personnel of government agencies or in financial, telecommunications, transportation, educational and medical institutions who sell or illegally provide to others a citizen’s personal information acquired in course of performance of the duty or provision of services, in the serious circumstances, are to be sentenced to imprisonment for less than three years, imposition of a fine (as a single penalty or concurrently with other penalties), or detention. An enterprise or a supervisor in an enterprise (‘management personnel with direct responsibility’) shall be liable for such misappropriations that are conducted by the enterprise. Fraud Relevant Relevant law Criminal Code Reference See http://www.dffy.com/wz/zhaishow.asp?id=8064 206 RAND Europe National Profiles Main provisions in Article 266 sanctions fraud crimes. relation to ID theft Articles 192-200 punish the crime of financial fraud. This section sanctions any act of using deception to appropriate someone else’s property (including fraudulent loans, credit card debits or insurance claims). Prescribed sanction Punishments provided by the law are fixed term or life-long imprisonment, fines and/or confiscation of illegal property. Crimes under Article 192, 194 and 195 in extremely serious circumstances may be subject to death penalty. Forgery with respect to identity (ie, (ie, falsifying identities on a document) Relevant law Criminal Code Reference See http://www.dffy.com/wz/zhaishow.asp?id=8064 Main provisions in Article 280 punishes the crimes of forging, altering or selling relation to ID theft governmental documents, certificates or seals, forging the seals of enterprises or other entities, or forging or altering citizens’ identity cards. Prescribed sanction Punishment provided by the law is imprisonment up to 10 years. Cybercrime - illegal access to information systems (hacking) Relevant law Criminal Code Reference See http://www.dffy.com/wz/zhaishow.asp?id=8064 Main provisions in Article 285 punishes the acts of illegally hacking into computer relation to ID theft system, providing illegal tools specifically used for hacking or knowingly providing programs or tools for hacking. Prescribed sanction Punishment provided by the law is imprisonment up to 7 years and/or fines. Cybercrime – illegal data interference Relevant law Criminal Code Reference See http://www.dffy.com/wz/zhaishow.asp?id=8064 Main provisions in Article 285 punishes the acts of illegally controlling computer relation to ID theft systems or obtaining the data stored, processed or communicated in the computer systems, providing illegal tools specifically used for controlling computer systems or knowingly providing programs or tools for such purposes. 207 RAND Europe National Profiles Article 286 punishes the acts of illegal deleting, altering, adding to or interfering with the functioning of computer systems to cause malfunctions, the acts of illegal deleting, altering or adding data stored, processed or communicated in the computer system to cause serious consequences, and the act of intentionally producing and spreading computer viruses and/or other disruptive programs to affect the normal functioning of a computer system and cause serious consequence. Prescribed sanction Punishment provided by the law is imprisonment up to 5 years. Cybercrime – computercomputer-related forgery Relevant law Criminal Code Reference See http://www.dffy.com/wz/zhaishow.asp?id=8064 Main provisions in No specific provision but may be analogous to Article 285. relation to ID theft Prescribed sanction Analogous to the punishment provided by Article 285. Cybercrime – computercomputer-related fraud Relevant law Criminal Code Reference See http://www.dffy.com/wz/zhaishow.asp?id=8064 Main provisions in Article 287 provides that financial fraud committed via a relation to ID theft computer shall be sanctioned according relevant stipulations (Articles 192-200) of the law. Prescribed sanction Punishments provided by the law are fixed term or life-long imprisonment, fines and/or confiscation of illegal property. Crimes under Article 192, 194 and 195 in extremely serious circumstances may be subject to death penalty. Application in practice In the sections below, we will examine if/how these regulations are applied in practice, including the identification of any known case law and resulting sanctions. Claiming a false identity onon-line (eg, (eg, creating an account on a social networking site such as Facebook under someone else’s name) Applicable law(s) This involves: 208 RAND Europe Case law available? National Profiles • Criminal Law: crimes of illegally controlling computer system; • Tort Liability Law: violation of a citizen’s right associated with names, reputation rights and right to privacy; • Measures for the Administration of Protecting the Security of International Connections to Computer Information Networks: violation of communication freedom and netizen’s privacy. There have been many disputes but no case law has been made public so far. Unlawfully using another person’s credentials (eg, (eg, using someone someone else’s username or password to send emails emails in his/her name) Applicable law(s) Case law available? This involves: • Criminal Law: crimes of fraud, forgery and illegally controlling computer system; • Tort Liability Law: violation of a citizen’s right associated with names, reputation rights and right to privacy; • Measures for the Administration of Protecting the Security of International Connections to Computer Information Networks: violation of communication freedom and Internet users’ privacy. • Measures for Administration of Email Service on Internet was issued by Ministry of Information Industry: violation of citizens’ privacy of correspondence in using Internet email services. There have been a number of offline cases involving ID theft. In October 2009, Shaoyang Beita District People’s Court made a decision on identity theft crime. In 2004, Wang Zhengrong paid RMB Yuan 50,000 (USD $10,680) to secure a swap of the identities and college-entrance examination information of her daughter and Luo Caixia to enable her daughter to be admitted by a university. Luo discovered that her identity was stolen when she tried to open a bank account, but was told that her identity was already in use. Nor could she find a job because the graduation and professional certificates she had been working towards could not be issued as they had already been issued to Wang’s daughter using her name. Eventually Wang Zhengrong 209 RAND Europe National Profiles was prosecuted and detained on charges of forging official documents, certificates and seals. Wang was sentenced to a fouryear fix-term imprisonment. The university degree obtained by Wang’s daughter through identity theft was revoked. But Luo Caixia found that resuming her true identity would take longer than expected because she was still turned down by both banks and on the job market. Although she sought civil remedies by suing Wang Zhengrong and others for infringing her right of name and education, it does not seem that she will obtain any compensation from the prolonged proceeding in the near future. Luo Caixia is by no means the only victim. In August 2001, Shandong High People’s Court ruled for Qi Yuling whose constitutional right of receiving education was infringed by the defendant’s action of identity theft of college-entrance examination information. The decision was affirmed by the Supreme People’s Court in an official reply to Shandong High People’s Court. Unfortunately, the official reply was repelled by the Supreme People’s Court in a decision effective from December 24, 2008, which leaves uncertainty in handling ID theft cases. Phishing (using emails emails and/or falsified websites to trick users into giving up identity information, eg, to collect enough information to log on to someone else’s bank account) Applicable law(s) Case law available? This involves: • Criminal Law: crimes of fraud, forgery and illegally controlling computer system; • Tort Liability Law: violation of a citizen’s right associated with names, reputation rights and right to privacy; • Measures for the Administration of Protecting the Security of International Connections to Computer Information Networks: violation of communication freedom and Internet users’ privacy. • Measures for Administration of Email Service on Internet: violation of citizens’ privacy of correspondence in using Internet email services. In May 2009, the police station of Shanghai Baoshang District investigated a phishing website that had been trapping users to input their usernames and passwords of Taobao, an online 210 RAND Europe National Profiles transaction platform, in a fake system to steal the money in the users’ transaction accounts. In two months, the phishing website stole more than RMB Yuan 10,000. In June 2009, four phishing website operators were arrested. In January 2010, they were sentence by Shanghai Baoshang District People’s Court to imprisonment for the crime of fraud. Using falsified identity documents (identity cards, social security cards or passports) to unlawfully apply for social benefits Applicable law(s) This involves: Criminal Law: crimes of forging, altering or selling governmental documents, certificates or seals, or forging or altering citizens’ identity cards. Case law available? There have been disputes that people submitted falsified ID documents to apply for governmentally subsidized housing benefits. But no case law has been made publicly available. eg, selling databases of Trafficking in unlawfully obtained personal information ((eg, email addresses to email marketeers) Applicable law(s) This involves: Criminal Law: crimes of fraud and selling or illegally providing to others a citizen’s personal information acquired in course of performance of the duty or provision of services Case law available? In 2009, Zhou illegally purchased a detailed log of telephone calls made by high-ranking local government officials, then sold it to fraudsters who used it to impersonate the officials over the telephone. The fraudsters convinced friends or relatives of the officials that the officials needed money for an emergency situation, and then they induced them to transfer money to a bank account controlled by the fraudsters. While the fraudsters were prosecuted for swindling, Zhou was convicted by Zhouhai Xiangzhou District People’s Court for the crime of illegally obtaining a citizen’s personal information. Zhou was sentenced to 18 months in imprisonment and a fine of RMB Yuan 2,000. The case showed that not only selling or illegally providing citizen’s individual information to other persons by working personnel of particular organizations but the illegal obtaining of such information by way of theft or other means, where the circumstances of the case are serious, is subject to penalty. 211 RAND Europe National Profiles No other notable case law has been identified. ID theft reporting mechanisms In China, no governmental reporting mechanisms are dedicated exclusively to identity theft. Cybercrime or other forms of fraud may be reported to the police, in the same way as any other type of crime. To facilitate online ID crime incidents, any Internet infrastructure operators, access providers and users shall accept the Police’s security supervision, inspection and guidance, and they will truthfully provide the information, materials or data on security protection, and assist the police to investigate such cybercrime. Some non-governmental reporting mechanisms have been established in some regions. They are however not operated by law-enforcement agencies and have only an informational function or provide a technical solution. Supplementing these, the Anti-phishing Alliance was established by a number of domain name registries, registrars, banks, e-commerce websites and security technology companies. The Chinese Internet Network Information Center (CNNIC), which is the Chinese country-code top-level domain registry, is the secretariat and responsible for receiving reports of specific incidents related to phishing. A website, once reported and recognized for phishing, will be stopped via a resolution by the member registrar of the Alliance. URL: http://www.cnic.cas.cn/zcfw/cnnic/fwgf/fdlm/200909/t20090928_2528998.html Finally, the Internet Society of China is maintaining an Illegal and Inappropriate Information Reporting Center. People may report phishing or other illegal websites to the Center. The Center will then forward the received reports to the competent authorities, such as the police. URL: http://jubao.china.cn:8088/reportinputcommon.do Personal assessment of the framework for combating ID theft China has no specific anti-ID theft law, nor is there any specific legal stipulation on ID theft. The legal sources are relatively sporadic (ie, with little coordination) and complicated. With respect to the criminal punishments, ID theft can be criminalized as fraud, forgery, hacking or computer system interference, etc. depending on the circumstances of the cases. With respect to the administrative punishments, there are a number of laws or regulations addressing the issue from different perspective, such as computer security, privacy and 212 RAND Europe National Profiles personal data, confidence and communication, etc. The legally complex situation frequently puzzles the enforcement agencies. Civil liability is generally weak and poorly enforced. Most ID theft victims don’t receive any monetary compensation and experience tremendous difficulty in resuming their own ID. There is no centralized ID theft reporting and protection mechanism provided by any law or operated by any governmental agency. ID theft cases are primarily handled by police and have to undergo the regular lengthy procedure of investigation and prosecution, which cannot provide timely legal remedies to the victims. In the long run, China needs to seriously address the ID theft issues, which is becoming ubiquitous, through setting up a comprehensive and coherent legal system and effective enforcement mechanism. 213 RAND Europe National Profiles Cyprus Applicable laws Laws focusing explicitly on ID theft Even though there is no specialised legislation applicable in Cyprus concentrating solely on identity theft criminal issues, nevertheless, ID theft incidents may be combated using other laws and regulations concerning cybercrime, personal data protection, criminal sanctions, fraud, etc. There is no publicly available information regarding the issue whether any new legislation is envisaged to be adopted to cover ID theft crimes. Instead, the policy emphasis in Cyprus, especially from the part of the Cyprus Police is more on improving awareness of ID theft risks with potential victims. Other laws that may apply to ID theft incidents Data protection laws Relevan t law The Processing of Personal Data (Protection of Individuals) Law of 2001, Law 138 (I) 2001 adopted on 23.11.2001 as amended on 2.5.2003 by amending Law No. 37(Ι)/2003 (O Περί Επεξεργασίας ∆εδοµένων Προσωπικού Χαρακτήρα (Προστασία του Ατόµου) Νόµος Referen ce http://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/index_en/i ndex_en?opendocument Main provisi ons in relation to ID theft The Law transposes the Data Protection Directive 95/46/EC. ID theft incidents will typically constitute unlawful processing, as it will violate the conditions for lawful processing of personal data (section 4) which include an obligation for the fair and lawful processing of data, the obligation to collect personal data for specified, explicit and legitimate purposes and that said data are not further processed in a way incompatible with those purposes. Under the law personal data may be processed only if the data subject has unambiguously given his consent (section 5). There is also an obligation for confidentiality and security of processing (section 10): the data controller must take the appropriate organizational and technical measures for the security of data and their protection against accidental or unlawful destruction, accidental loss, alteration, unauthorised dissemination or access and any other form of unlawful processing. Such measures shall ensure a level of security which is appropriate to the risks involved in the processing and the nature of the data processed. The Law also grants certain rights to data subjects such as the right of information (section 11), right of access to inaccurate data or unlawful processing and right 214 RAND Europe National Profiles of rectification, erasure or blocking of the data, the processing of which has not been performed in accordance with the provisions of this Law (section 12) and the right to object (section 13). Finally there are certain formal obligations such as the prior notification to the Cypriot Commissioner for the Protection of Personal Data (section 21). Prescri bed sanctio n According to section 17, the data controller shall compensate a data subject who has suffered damage by reason of violation of any provision of this Law, unless he proves that he is not responsible for the event that caused the damage. The data subject also has a right of temporary judicial protection (section 16). Section 25 of the Law also provides for administrative sanctions namely (a) a warning with a specific time-limit for termination of the contravention; (b) a fine of up to EUR 9000; (c) temporary revocation of a license; (d) permanent revocation of a license; and (e) the destruction of a filing system or the cessation of processing and the destruction of the relevant data. Finally, the Law provides for certain offences and penalties under section 26 which may be sanctioned by imprisonment for a term not exceeding five years or by a fine not exceeding EUR 9000 or both. Communications secrecy laws – existence and technical aspects of electronic communication Relevant law Law Regulating Electronic Communications and Postal Services of 2004, Ν.112(Ι)/04 as amended adopted on 30 April 2004 (Ο Περί Ρυθµίσεως Ηλεκτρονικών Επικοινωνιών και Ταχυδροµικών Υπηρεσιών Νόµος Του 2004, Ν112(Ι)/2004) Reference See http://www.ocecpr.org.cy/nqcontent.cfm?a_id=2166&tt=ocecpr&lang=gr Main provisions Pursuant to Section 98 of the Law, providers of publicly available electronic in relation communications networks and/or services must take all appropriate technical to ID and organisational measures to safeguard the security of their networks and theft services, to such an extent that is appropriate to the level of the risk presented, having regard to the cost of implementation of such security systems and the state of the art of technical capabilities. In case of a particular risk of a breach of the security of the network, providers must inform their subscribers concerning such risk and of any possible remedies for its avoidance, including an indication of the likely costs involved. An obligation to take appropriate technical and organisational measures is also imposed by Section 99 of the Law, which provides that publicly available electronic communications networks and/or services as well as their employees, must take all such measures to safeguard the confidentiality of each communication and related traffic data carried out by means of a public 215 RAND Europe National Profiles communications network and publicly available electronic communications services. In this respect, no person, other than users communicating between themselves from time to time, is allowed to listen into, tap, store, intercept and/or undertake any other form of surveillance of communications without the consent of the users concerned, except where this is provided for by Law and where there is an authorisation by the Court. Section 149 (6) of this Law prohibits the following acts: • sending by means of a public communications network, a message and/or other matter that is grossly offensive and/or of an indecent, obscene and/or menacing character • sending by means of a public communications network for the purpose of causing annoyance, inconvenience and/or needless anxiety to another, a message that he knows to be false and/or persistently making use for that purpose of a public communications network Section 149 (7) of this Law prohibits the use of any apparatus, for the purpose of interfering with any other apparatus. Section 149 (8) of this Law prohibits a person, who is an authorised undertaking or is employed by an authorised undertaking or who is engaged in any capacity by any authorised undertaking , if in contravention of his duty- Prescribed sanction • prevents and/or obstructs the sending, conveying and/or delivery of any message; • intentionally amends and/or interferes with the content of any message; and/or • intentionally intercepts any message and/or intentionally discloses and/or uses the content of any message, any information and/or document that relates to the content of any message, and/or to the public affairs and/or personal particulars of any person in. Apart from damages that the victim may receive in civil proceedings: • Violations of section 149(6) can be criminally sanctioned with fines of up to 1700 EUR. • Violations of section 149(7) can be criminally sanctioned with imprisonment not exceeding 3 months or with fines not exceeding 1000 EUR, or with both such penalties • Violations of article 147(8) can be criminally sanctioned with imprisonment not exceeding 6 months or fines not exceeding 1700 EUR 216 RAND Europe National Profiles Communications secrecy laws – existence and technical aspects of electronic communication Relevant law The Constitution Reference See www.leginet.eu Main provisions in relation relation to ID theft The Right of Privacy is safeguarded by Article 15.1 of the Constitution. Article 15.1 is modelled on Article 8 of the European Convention of Human Rights that proclaims a right to privacy as such. The Convention has been ratified, together with its First Protocol, by the European Convention on Human Rights (Ratification) Law of 1962 The right to secrecy of correspondence is safeguarded by Article 17 of the Constitution which provides that ‘(1) Every person has the right to respect for, and to the secrecy of, his correspondence and other communication if such other communication is made through means not prohibited by law’; and ‘(2) There shall be no interference with the exercise of this right except in accordance with the law and only in cases of convicted and unconvicted prisoners and business correspondence and communication of bankrupts during the bankruptcy administration. The notion of correspondence includes not only letters in paper form but also other forms of communication in electronic form received at or originated from the workplace, such as telephone calls made from or received at business premises or emails received at or sent from the offices’ computers. On this basis electronic communication is also part of private life. Prescribed sanction Not applicable Communications secrecy laws – existence and technical aspects of electronic communication Relevant law The Law for the Protection of Confidentiality of Private Communications (Interception of Conversations) of 1996, Law No. 92(I)/1996 (Προστασίας του Απόρρητου της Ιδιωτικής Επικοινωνίας (Παρακολούθηση Συνδιαλέξεων) Νόµος του 1996 Ν. 92(I)/1996) Reference See www.leginet.eu Main According to the Law, a person will be guilty of an offence if he/she: provisions • Taps or intercepts or attempts to tap or intercept or causes or allows or in relation authorises any other person to tap or intercept any private to ID theft communication, on purpose. • Uses, attempts to use, instigate or causes or authorises another person 217 RAND Europe National Profiles to use or to attempt to use any electronic, mechanical, electromagnetic, acoustic or other apparatus or machine for the purpose of tapping or intercepting any private communication, on purpose. Prescribed sanction • Reveals or attempts to reveal to any another person the content of any private communication, on purpose, while being aware or having reason to believe that the information was received by bugging or interception of private communication. • Uses or attempts to use, on purpose, the content of any private communication, when being aware or having reason to believe that the information was received by tapping or interception of a private communication. Violations of the Law can be criminally sanctioned with imprisonment up to three years. Communications secrecy laws – existence and technical aspects of electronic communication Relevant law The Banking Law of 1997, Law Νo. 66(I)/1997 as amended by Law No. 74(I)/1999, Law Νo. 94(I)/2000, Law Νo. 119(I)/2003, Law Νo. 4(I)/2004 and Law No. 151(I)/2004 Reference See www.leginet.eu Main provisions in relation to ID theft Section 29 of the Banking Law provides for the duty to banking secrecy. It reads that no director, chief executive, manager, officer, employee and any person who has by any means access to the records of a bank, with regard to the account of any individual customer of that bank shall, while his employment in or professional relationship with the bank, as the case may be, continues or after the termination thereof, give, divulge, reveal or use for his own benefit any information whatsoever regarding the account of that customer. These provisions also apply to any branch of an electronic money institution licensed in another member state or to any electronic money institution licensed in another member state which provides cross border services. Prescribed sanction A violation of the obligation of banking secrecy obligation is an offence punishable with imprisonment up to two years or with a fine up to EUR 85,000 or with both and in case of a continuing offence by a further fine up to EUR 1,700 for each day during which the offence continues 218 RAND Europe National Profiles Criminal Law Fraud Relevant law Criminal Code, Cap. 154 (Ποινικός Κώδικας, Κεφ. 154) Reference See http://www.leginet.eu Main provisions in relation to ID Fraud falls within the general framework of ‘false pretences’ theft prescribed by section 297 et seq. of the Criminal Code. In general, the Criminal Code forbids criminal offences that are related to false pretences, including misrepresentation (s. 297), false impersonation and securing goods and the execution of an act by misrepresentation and false pretences (s. 298 and s. 299). Other offences include subterfuge and conspiracy to commit false pretences (s. 302), securing credit by false pretences (s. 301), fraud (s. 300), fraudulent transactions in relation to property belonging to another person (s.303), e.g by advertising and pretending to be the owner of said property. Where fraud is specifically concerned, the Criminal Code, section 300 prescribes that fraud is committed where any person who by means of a fraudulent trick acquires from another person anything which is the subject matter of theft or instigates another person to give money or goods to a third person which is higher in value than what that person would have paid if such trick had not been used. Prescribed sanction Apart from damages that the victim may receive in civil proceedings, violations of the above sections can be criminally sanctioned with imprisonment up to 5 years. Criminal Law Forgery with respect to identity (ie, (ie, falsifying identities on a document) Relevant law Criminal Code, Cap. 154 (Ποινικός Κώδικας, Κεφ. 154) Reference See http://www.leginet.eu Main provisions Forgery is punished by Part VIII of the Criminal Code. Section 333 in relation to ID of the Code is most relevant in that it prescribes that a criminal offence is committed where, fraudulently: theft • a person draws a document which is not real, • changes a document without authority in order to gain 219 RAND Europe National Profiles authority thereby, Prescribed sanction • changes a document inserting something therein which has the result of changing the consequences of the use of such a document • signs a document using someone else’s name and without that person’s authorization or by using the name of a non-existing person Apart from damages that the victim may receive in a civil proceedings, violations of the above sections can be criminally sanctioned with imprisonment up to 3 years. However, if the forged document is a will, title deed, insurance document, bank guarantee and the like, imprisonment is up to 14 years. C ybercrime - illegal access to information systems (hacking) Relevant law Law of 2004 Ratifying the Cybercrime Convention of 2001, Law No. Law No. 22(III)/2004 Reference See: www.leginet.eu Main provisions provisions Illegal access to information systems is punished by Section 4 of the in relation to ID Law, according to which a person who intentionally and without theft right gains access to the whole or any part of a computer system by infringing security measures commits an Within this framework, the term ‘computer system’ is interpreted by the Law as any device or a group of inter-connected or related devices, one or more of which, pursuant to a program, performs the automatic processing of the data. System Interference is also relevant in this respect. By virtue of Section 7 of the Law, a person who intentionally and without right seriously hinders the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data commits an offence Illegal Interception further relates to illegal access. In this respect, pursuant to Section 5 of the Law, a person who intentionally intercepts without right by technical means, computer data that is not transmitted to the public from or within a computer system, commits an offence. Computer data is interpreted by Section 2 of the Law as any 220 RAND Europe National Profiles representation of facts, information or concepts in a form suitable for processing in a computer system, including a program suitable to cause a computer system to perform a function. With regard to illegal interception in particular, computer data includes data stored or emitted by electronic or magnetic or other means from a computer system carrying such computer data Prescribed sanction Apart from damages that the victim may receive in civil proceedings, violations of Section 4, 5 and 7 of the Law, can be criminally sanctioned with imprisonment between 2 and up to five years or with a fine up to EUR 34,000 or with both such penalties. Cybercrime – illegal data interference Relevant law Law of 2004 Ratifying the Cybercrime Convention of 2001, Law No. Law No. 22(III)/2004 Reference See: www.leginet.eu Main provisions According to Section 6 of the Law, a person who intentionally and in relation to ID without right damages, deletes, deteriorates, alters or suppresses theft computer data commits an offence. Prescribed sanction Apart from damages that the victim may receive in civil proceedings, violations of Section 4, 5 and 7 of the Law, can be criminally sanctioned with imprisonment between 2 and up to five years or with a fine up to EUR 34,000 or with both such penalties. Cybercrime – computercomputer-related forgery Relevant law Law of 2004 Ratifying the Cybercrime Convention of 2001, Law No. Law No. 22(III)/2004 Reference See: www.leginet.eu Main provisions Computer-related forgery is punished by Section 9 of the Law, which in relation to ID makes it an offence for a person to, intentionally and without right, theft input, alter, delete or suppress computer data, resulting in inauthentic data with the intent that such data be considered or acted upon for legal purposes as if they were authentic. This is regardless of the fact that the data were directly readable and intelligible. Where misuse of Devices is concerned, section 8 of the Law prohibits the intentional production, sale, procurement for use, import, distribution, without the requisite rights, or otherwise making available of (i) A device, including a computer program, designed or adapted primarily for the purpose of committing any of the offences 221 RAND Europe National Profiles established in accordance with Sections 4 to 7 of the Law; (ii) A computer password, access code, or similar data by which the whole or any part of a computer system is capable of being accessed so that it be used for the purpose of committing any of the offences established in Sections 4 to 7 of the Law. Furthermore, this Section prohibits the intentional and without right possession of any of the aforementioned items for the purpose of using the same in order to commit any of the offences established in Sections 4 to 7 of the Law. Prescribed sanction Apart from damages that the victim may receive in civil proceedings, violations of Section 8 and 9 of the Law can be criminally sanctioned with imprisonment between 2 and up to five years or with a fine up to EUR 34,000 or with both such penalties. Cybercrime – computercomputer-related fraud Relevant law Law of 2004 Ratifying the Cybercrime Convention of 2001, Law No. Law No. 22(III)/2004 Reference See: www.leginet.eu Main provisions Computer-related fraud is punished by Section 10 of the Law in relation to ID according to which, a person who intentionally and without right, theft with fraudulent or dishonest intent, causes damage to the property of another by inputting, altering, deleting or suppressing computer data or by causing any interference with the functioning of a computer system, and as a result procures, without right, an economic benefit for oneself or for another, will commit an offence. Prescribed sanction Apart from damages that the victim may receive in civil proceedings, violations of Section 10 of the Law can be criminally sanctioned with imprisonment between 2 and up to five years or with a fine up to EUR 34,000 or with both such penalties. Application in practice Claiming a false identity onon-line (eg, (eg, creating an account on a social networking net working site such as Facebook under someone else’s name) Applicable law(s) Such an incident would likely involve: • Violation of data protection laws, since personal data of the victim would likely be unlawfully processed to make the false identity believable (eg, publication of the victim's name, address, photo, etc.); 222 RAND Europe Case available? National Profiles • Violation of communication confidentiality laws, if the false profile results in messages being sent to the false profile which were intended for the real recipient and where communication between the 2 users is not authorised; • Forgery and/or computer-related forgery, if the forgery changed the legal impact of the information or where something was achieved without by false pretences; • Fraud and/or computer-related fraud, if the false identity was used to unlawfully appropriate property or money or some other benefit. • Violation of other laws relating to child pornography, prostitution and sexual offences in general in the event that false IDs are used by sexual predators to attract their victims. • Illegal access to information systems, if the credentials were used to access a system without authorisation law Not known. It should be noted that there is no readily available information about case-law at first instance level because in Cyprus only cases at appeal level are being recorded. Therefore, there may have been cases judged on this matter. There is currently a pending case regarding a Facebook incident but it does not concern false identity. According to a newspaper article, a 38year-old National Guardsman was remanded in custody in connection with the rape, corruption and sexual exploitation of a young girl whom he befriended on the social networking site. This was the first known incident in Cyprus where an alleged suspect had used the Internet to arrange a meeting with a minor and then sexually abuse them. Unlawfully using another person’s credentials (eg, (eg, using someone else’s username or password to send emails emails in his/her name) Applicable law(s) Such an incident would likely involve: • Violation of data protection laws, since personal data of the victim would likely be unlawfully processed to make the false identity believable (eg, publication of the victim's name, address, photo, etc.); • Violation of communication confidentiality laws, if the false profile results in messages being sent to the false profile which were intended for the real recipient and where communication between the 2 users is not authorised; • Forgery and/or computer-related forgery, if the forgery changed the legal impact of the information or where something was 223 RAND Europe National Profiles achieved without by false pretenses; Case available? • Fraud and/or computer-related fraud, if the false identity was used to unlawfully appropriate property or money or some other benefit. • Violation of other laws relating to child pornography, prostitution and sexual offences in general in the event that false IDs are used by sexual predators to attract their victims. • Illegal access to information systems, if the credentials were used to access a system without authorisation law Not known. It should be noted that there is no readily available information about case-law at first instance level because in Cyprus only cases at appeal level are being recorded. Phishing (using emails emails and/or falsified websites websites to trick users into giving up identity information, eg, to collect enough information to log on to someone else’s bank account) Applicable law(s) Case available? The act of phishing itself (independent from what the perpetrator would do with the stolen information) would likely be: • a violation of the data protection law, since the credentials are likely to be considered personal data which is being unlawfully processed; • violation of communication confidentiality laws, if the collection of the credentials can be qualified as unlawful access to data related to electronic communication; • fraud and/or computer-related fraud, if falsified messages were sent to unlawfully appropriate property; • illegal data interference, if the act of phishing involved entering, changing or deleting information in an information system without authorisation (eg, in order to falsify a website). law No known case law. There have been many reported instances of phishing in the banking industry. Using spyware to obtain identity identity information (eg, (eg, installing a computer programme that records which usernames and passwords are used and communicates these to a hacker) Applicable law(s) The act of using the spyware itself (independent from what the perpetrator would do with the stolen information) would likely be: • a violation of the data protection laws, since the credentials are 224 RAND Europe National Profiles likely to be considered personal data which is being unlawfully processed; Case law available? • violation of communication confidentiality laws, if the collection of the credentials can be qualified as unlawful access to data related to electronic communication; • illegal access to information systems, since installing the spyware is likely a violation of access rights; • illegal data interference, since installing the spyware likely involves installing software on the victim’s information system without authorisation. No known case law. Trafficking in unlawfully obtained personal information (eg, (eg, selling databases of email addresses to email marketeers) Applicable Applicable law(s) Case available? The act of trafficking in unlawfully obtained information would likely be: • a violation of the data protection laws, since the personal information would be unlawfully processed; • a violation of communication confidentiality laws, if the personal information contained data related to electronic communication (like email addresses, IP addresses, etc.). law In 2009 there were 40 complaints filed with the Office of the Commissioner for the Protection of Personal Data regarding unsolicited marketing against an email marketing company. A fine of EUR 8000 was imposed. There were various other such fines imposed over the years. ID theft reporting mechanisms SafenetCY reporting site SafenetCY is the Cyprus Self Regulatory Body for Internet Content. It is the Hotline that promotes the safe use of Internet in Cyprus. It serves the needs of all people that live on the island and addresses not only issues of pornography, but also racism, gender discrimination and inappropriate use of peoples’ images. It operates as a combined Awareness Node and a Hotline under the name CyberEthics. The project engages actors from the government and the civil society, thus contributing towards the eradication of 225 RAND Europe National Profiles cyber crime through informed actions of European citizens and public institutions that aim to change behaviour, mentality and attitudes, giving special emphasis to rural and less developed areas of the country. SafenetCY accepts, processes, and forwards reports. Persons can report any content in the Internet that they believe is illegal or even annoying. This includes the reporting of websites, Newsgroups, FTP, emails and Chat rooms. In the case where content is hosted to another country than Cyprus, SafeNetCY takes the appropriate action to inform the specific country. The specific Objectives of the Hotline are the following: • • • • • • • • • Operate an island-wide hotline for Internet users in Cyprus to report illegal and harmful material and activities, so as to reduce the circulation of illegal content on the Internet. Inform users of the hotline’s scope of activity and how to contact it; Make clear to users the difference between their activities and those of public authorities, and inform them of the existence of alternative ways of reporting illegal content. Deal rapidly with complaints received, in accordance with best practice guidelines drawn up by the network and in cooperation with law enforcement authorities. Exchange specific information on identified illegal content with other members in the network. Participate actively in networking nationally and at European level and contribute to cross-border discussions and exchange of best practice. Co-operate with the awareness node present in the country and Europe Direct. Take an active part in events organized for safer Internet day at European, national and local level. Develop a structured method of concentration with the relevant actors (eg, Internet) Industry association, major communication service providers, media regulators, legal authorities) in cooperation with other safer Internet nodes in the country, if any. Every report is recorded at SafeNetCY’s Database. From that point every procedure has to be done no later than 24 hours from the time the report was made. The following steps are made by SafeNetCY: • • • • Verification: First, SafenetCY performs a typical verification of the reported content. If, for example, the report complains about a website, SafenetCY verifies that the address (URL) given exists and that its content is possibly illegal. If the report does not reefers to illegal content according to Cyprus Law, then no further actions are made with exception of the case the specific situation needs national attention (see 8. below). Tracing the source: Then, an attempt is made, using technical means, to trace the country where the reported content originates. Cyprus Police notification: SafenetCY forwards all reports, regardless of the originating country of the reported content, to the Cyprus Police. Ask help from child welfare: If the reporting source originates in Cyprus and the form of the report could hurt an involved child then the child welfare will take the appropriate actions to support the child. 226 RAND Europe • National Profiles Foreign hotline notification: If the reported content originates from abroad, the report is also forwarded to a hotline in the country of origin (if one exists). If the contents originates from Cyprus this specific step is omitted. The Police Usually, victims of ID theft report an incident directly to the police by visiting a police station of their area. Personal assessment of the framework for combating ID theft Due to the fact that the Republic of Cyprus has ratified the Cybercrime Convention and has harmonised Cypriot legislation with the applicable acquis communautaire, Globally, it can be said that the legal framework for combating ID theft incidents in Cyprus is adequate. The establishment of the SafenetCY Hotline has also facilitated the establishment of efficient reporting mechanisms. Victims of ID theft may report any event either through the SafenetCy Hotline or appeal directly to the Police. The SafenetCy Hotline is not promoted as a site for reporting Internet crimes only by non-victims but to the contrary it is a forum for actively protecting victims. ID theft appears to take a high priority in investigations, especially in cases of clear and significant harm to the victim. There are many reports in various public media such as news sites regarding the Police’s efforts and work in fighting cybercrime and ID theft especially where there are sexual offences against minors involved or theft. Investigation of incidents in cross border cases is regular in collaboration with INTERPOL and EUROPOL. There have been many instances where persons have been extradited to their country of origin in order to be tried for cybercrime offences committed on an international level. 227 RAND Europe National Profiles Czech Republic Applicable laws Laws focusing explicitly on ID theft No legislation exists in the Czech Republic that focuses explicitly on ID theft as a specific crime, or that defines such a crime. Introducing ID theft as a crime had been considered during the preparation of the new Penal Code in 2009; however no such crime was included when the Penal Code was adopted. Other laws that may apply to ID theft incidents Data protection protection law Relevant law Act No. 101/2000 Coll., on the Protection of Personal Data and on the Amendment of Certain Acts of April 4, 2000, as amended (hereinafter ‘the Data Protection Act’) (Zákon č. 101/2000 Sb., o ochraně osobních údajů a o změně některých zákonů) Reference http://www.uoou.cz/uoou.aspx?menu=4&submenu=5 Main provisions in As under the Data Protection Directive 95/46/EC, ID theft relation to ID theft incidents will typically constitute unlawful processing, as they will violate the legitimacy requirements (Section 5), the proportionality obligations and the purpose restriction, the transparency obligations (Sections 11, 12), the security obligations (Section 13) and formal obligations such as the prior notification to the Czech Office for Personal Data Protection (Section 17). Prescribed sanction The violation of the Data Protection Act constitutes an administrative tort, for which a fine up to CZK 5,000,000 may be imposed (approximately EUR 200,000). Civil law Relevant law Act No. 64/1964 Coll., the Civil Code, of February 26, 1964, as amended (hereinafter ‘the Civil Code’) (Zákon č. 64/1964 Sb., občanský zákoník) Reference http://business.center.cz/business/pravo/zakony/obcanzak/ Main provisions in Section 11 Protection of personhood: relation to ID theft An individual has the right to protection of his or her 228 RAND Europe National Profiles personhood, in particular of his or her life and health, civic honour and human dignity as well as of its privacy, name and expressions of personal nature. Prescribed sanction Apart from the obligation to discontinue the infringement a court may impose a sanction of monetary compensation of the detriment suffered. The right to claim damages remains unaffected by this sanction. Communications secrecy laws Relevant law Act No. 127/2005 Coll., on Electronic Communications and on the Amendment of Certain Related Acts (Zákon o elektronických komunikacích a o změně některých zákonů) Reference http://www.rrtv.cz/en/static/laws/Electronic_Communications_ Act.pdf Main provisions in Section 93 prohibits sending messages from an email address to relation to ID theft third parties without the consent of the holder of that email address. Prescribed sanction To legal entities and self-employed individuals a fine up to 10 percent of the revenues gained during the preceding calendar year, but not higher than CZK 5,000,000 (approximately EUR 200,000), may be imposed. To an individual a fine up to CZK 100,000 (approximately EUR 4,000) may be imposed. Breach of Privacy of Transmitted or Mailed Messages Relevant law Act No. 40/2009 Coll., the Criminal Code (Zákon č. 40/2009 Sb., trestní zákoník), (hereinafter the ‘Criminal Code’) Reference http://business.center.cz/business/pravo/zakony/trestni-zakonik/ Main provisions in The breach of the privacy of transmitted or mailed messages is relation to ID theft sanctioned under Section 182 of the Criminal Code. • Section 182 (1) sanctions the intentional breach of the privacy of: (a) (b) a closed (sealed) letter or another written communication forwarded by post or any other transmission; a data, text, voice, sound or image message sent via an electronic communication network and addressed to an identified participant or user, who is receiving the message; or 229 RAND Europe National Profiles (c) • Section 182 (2) sanctions the acquiring of an unlawful benefit with the intention to harm a third party by way of (a) (b) • breaching a secret, known from a letter, phone call or from a transfer over an electronic communication network involving such a secret; or using such a secret. Section 182 (5) sanctions an employee of a postal or telecommunication services or computer system or any person performing communication activities, who (a) (b) (c) Prescribed sanction a private computer data transfer in, out of or within a computer system, including the electromagnetic emission from the computer system that transfers data. commits the acts set out in Section 182 (1) and 182 (2); intentionally enables another person to commit the acts set out in Section 182 (1) and 182 (2); or modifies or deletes documentation contained in a certified mail or transferred by a transmission facility or a message delivered by private computer data transfer, phone or another similar way. Apart from damages that the victim may receive in civil proceedings: • The violation of Section 182 (1) (a), (b) or (c) may be criminally sanctioned with imprisonment for up to 2 years or with the prohibition of undertaking a (specific) activity; • The violation of Section 182 (2) (a) or (b) may be criminally sanctioned with imprisonment for up to 2 years or with the prohibition of undertaking a (specific) activity; • The violation of Section 182 (5) (a), (b) or (c) may be criminally sanctioned with imprisonment for between 1 and 5 years or with the prohibition of undertaking a (specific) activity or with a penalty; • Certain circumstances, such as causing extensive damage 230 RAND Europe National Profiles in an amount exceeding CZK 5,000,000 (approximately EUR 200,000) or committing an act under Section 182 as a public official, may further increase the sanction that the court may impose. Damaging Another Person's Rights Relevant law The Criminal Code (trestní zákoník) Reference http://business.center.cz/business/pravo/zakony/trestni-zakonik/ Main provisions in Damaging another person’s rights is sanctioned under Section relation to ID theft 181 of the Criminal Code. This Section sanctions causing a serious detriment to a third party rights by misleading such third party or by exploiting its mistake. The provisions of Section 181 protect other than property rights. Prescribed sanction Apart from damages that the victim may receive in civil proceedings, the violation of Section 181 may be criminally sanctioned with imprisonment for up to 5 years or the prohibition of undertaking a (specific) activity. Fraud Relevant law The Criminal Code (trestní zákoník) Reference http://business.center.cz/business/pravo/zakony/trestni-zakonik/ Main provisions in Fraud in general is sanctioned under Section 209 of the Criminal relation to ID theft Code. This Section sanctions obtaining a benefit in an amount exceeding CZK 5,000 (approximately EUR 200) for the offender or for a third party to the detriment of another person's property by misleading another person, or by taking advantage of another person's mistake or by withholding substantial facts. This would apply to any ID theft incidents involving the use of a false identity. This would also apply to any ID theft incidents involving the use of false identity information in an information system (eg, changing the name of the holder of a bank account, or performing banking transactions under someone else’s name). Prescribed sanction Apart from damages that the victim may receive in civil proceedings, the violation of Section 209 may be criminally sanctioned with imprisonment for up to 12 years, the prohibition of undertaking a (specific) activity, and a penalty or the forfeiture of a (specific) asset or other value. 231 RAND Europe National Profiles Forgery Forg ery and altering a public document document Relevant law The Criminal Code (trestní zákoník) Reference http://business.center.cz/business/pravo/zakony/trestni-zakonik/ Main provisions in Forgery or altering a public document is sanctioned under relation to ID theft Section 348 of the Criminal Code. This Section sanctions (i) forgering an official document or materially altering its contents with the intention to present such document as genuine, (ii) presenting such document as genuine, (iii) procuring such document for one’s own or a third party’s benefit, (iv) producing, offering, selling, mediating, maintaining accessible or possessing an instrument, equipment or its component, device or any other instrument including computer software created or adapted for the purpose of forgering or altering an official document. Prescribed sanction Apart from damages that the victim may receive in civil proceedings, the violation of Section 348 may be criminally sanctioned with imprisonment for up to 10 years or the prohibition of undertaking a (specific) activity. Cybercrime – Unlawful access to a computer system or data carrier (‘Hacking’) Relevant law The Criminal Code (trestní zákoník) Reference http://business.center.cz/business/pravo/zakony/trestni-zakonik/ Main provisions in Unlawful access to a computer system or data carrier is relation to ID theft sanctioned under Section 230 of the Criminal Code including in particular: • Section 230 (1) sanctions passing over a security device and unlawfully acquiring access to a computer system or its part. • Section 230 (2) sanctions acquiring access to a computer system or data carrier and (a) making unauthorized use of data stored in the computer system or on the data carrier; (b) unlawfully deleting data stored in the computer system or on the data carrier or in another way destroying, damaging, changing, deleting, lowering their quality or making them unusable; (c) falsifying or changing data stored in the computer system or on the data carrier so that the data are considered to be authentic or used as 232 RAND Europe National Profiles being authentic, no matter if such data are directly legible or understandable; or (d) unlawfully inserting data to the computer system or to the data carrier or intervening in a program or technical equipment of a computer or another technical facility used for data processing. This would apply to any ID theft incidents involving the use of false credentials to gain unauthorized access to an information system or to misappropriate credentials from such a system and to, for example, any ID theft incidents involving the use of false identity information in an information system. This would also apply to any ID theft incidents involving the falsifying of identity information stored in an information system. Prescribed sanction Apart from damages that the victim may receive in civil proceedings: • The violation of Section 230 (1) may be criminally sanctioned with imprisonment for up to 1 year, the prohibition of undertaking a (specific) activity or the forfeiture of a (specific) asset or other value. • The violation of Section 230 (2) (a), (b), (c) or (d) may be criminally sanctioned with imprisonment for up to 2 years, the prohibition of undertaking a (specific) activity or the forfeiture of a (specific) asset or other value. • Certain circumstances, such as causing damages or acquiring a benefit in an amount exceeding CZK 500,000 (approximately EUR 20,000) may further increase the sanction that the court may impose. Cybercrime – Acquiring or obtaining access equipment or codes for computer systems or other similar data data Relevant law The Criminal Code (trestní zákoník) Reference http://business.center.cz/business/pravo/zakony/trestni-zakonik/ Main provisions in Acquiring or obtaining access equipment or codes for computer relation systems or other similar data is sanctioned under Section 231 of relation to ID theft the Criminal Code. • Section 231 (1) sanctions the breach of the privacy of transmitted messages, unlawfully gaining access to a computer system or data carrier, importing, exporting, offering, mediating, selling or making otherwise accessible or preserving 233 RAND Europe Prescribed sanction National Profiles a) equipment or its part, process, tool or any other device, including a computer program, created or adjusted for the purpose of unlawfully gaining access to an electronic communication network, computer system or its part; or b) a computer password, access code, data, process or any other similar device by means of which it is possible to gain access to a computer system or its part. Apart from damages that the victim may receive in civil proceedings: • violations of Section 231 (1) (a) and (b) may be criminally sanctioned with imprisonment for up to one year, with the prohibition of undertaking a (specific) activity or with the forfeiture of a (specific) asset or other value. • Certain circumstances, such as acquiring an extensive personal or third party benefit in an amount exceeding CZK 500,000 (approximately EUR 20,000), may further increase the sanction that the court may impose. Cybercrime – Damaging a record record in a computer system system or a data carrier and interference with a computer feature feature through negligence negligence Relevant law The Criminal Code (trestní zákoník) Reference http://business.center.cz/business/pravo/zakony/trestni-zakonik/ Main provisions in Damaging a record in computer system or a data carrier and relation to ID theft interference with computer feature is sanctioned under Section 232 of the Criminal Code. This Section sanctions gross negligence in violating the obligations arising from employment, a profession, position or function or specified by law or by a contract, by a) destroying, damaging, changing or making not usable data saved in a computer system or data carrier; or b) interfering with technical or program equipment of a computer or other technical system for data processing and as a result causing a damage in an amount exceeding CZK 500,000 (approximately EUR 20,000). This would apply to any ID theft incidents involving falsifying of identity information stored in an information system by violating 234 RAND Europe National Profiles obligations arising from employment, a profession, position or function or specified by law or from a contract. Prescribed sanction Apart from damages that the victim may receive in civil proceedings: • The violation of Section 232 (1) (a) or (b) may be criminally sanctioned with imprisonment for up to 6 months, with the prohibition of undertaking a (specific) activity or with the forfeiture of a (specific) asset or other value. • Certain circumstances, such as causing an extensive damage (exceeding CZK 5,000,000 (approximately EUR 200,000), may further increase the sanction that the court may impose. Infringement of copyright, copyright, related rights and database rights Relevant law The Criminal Code (trestní zákoník) Reference http://business.center.cz/business/pravo/zakony/trestni-zakonik/ Main provisions in The infringement of copyright, related rights and data base rights relation to ID theft is sanctioned under Section 270 of the Criminal Code. This Section sanctions illegally infringing lawfully protected rights (covered by copyright) to an author's work, a performing artist's performance, a sound or audiovisual recording, or a radio or television broadcasting, or a database. Prescribed sanction Apart from damages that the victim may receive in a civil proceeding, a violation of Section 270 of the Criminal Code may be criminally sanctioned with imprisonment for up to 8 years, with the prohibition of undertaking a (specific) activity or with the forfeiture of a (specific) asset or other value. Application in practice Claiming a false identity onon-line (eg, (eg, creating an account on a social networking site such as Facebook under someone else’s name) Applicable law(s) Such an incident would likely involve: - a violation of data protection law, since personal data of the victim would likely be unlawfully processed to make the false identity credible (eg, publication of the victim's name, address, photo, etc.); 235 RAND Europe National Profiles - a violation of communication secrecy laws, if the false account receives messages intended for a real recipient; - a violation of the rights for protection of the personhood; - fraud; - unlawful access to a computer system or data carrier; - acquiring or obtaining access equipment or codes for computer systems or other similar data. Case law available? To our knowledge there is no relevant case law. Unlawfully using another person’s credentials (eg, (eg, using someone else’s username or password to send emails emails in his/her name) Applicable law(s) Most of the qualifications defined in Chapter 1 could apply, depending on how the credentials were used: - a violation of the data protection law, since the credentials are likely to be considered personal data which are being unlawfully processed; - fraud; - gaining unlawful access to a computer system or data carrier; - damaging another person’s rights; and - acquiring or obtaining access equipment or codes for computer systems or other similar data. Case law available? In 2008 an offender stole a passport of another person and acted as this person during criminal proceedings concerning theft, in which the offender was also found guilty under the other person’s name. The offender was subsequently accused of a criminal offence consisting in harming a third party’s rights. The criminal proceedings are ongoing and a sanction has not been imposed yet. The sanction may be imprisonment for up to two years. Phishing (using emails emails and/or falsified websites to trick users into giving up identity identity information, eg, to collect enough information to log on to someone else’s bank account) Applicable law(s) The act of phishing itself (independent from what the offender would do with the stolen information) would most likely qualify as: - a violation of the data protection act, since the credentials are likely to be considered personal data which is being unlawfully 236 RAND Europe National Profiles processed; - fraud; and - gaining unlawful access to a computer system or data carrier. Case law available? There have been several cases involving phishing in relation to which a criminal investigation has been initiated, but to our knowledge no final judgements have thus far been issued in these cases. Using falsified identity documents (identity cards, social security cards or passports) passports) to unlawfully apply for social benefits Applicable law(s) Using falsified identity documents to unlawfully apply for social benefits would most likely qualify as: - forgery and altering a public document; and - fraud. Case law available? To our knowledge there is no relevant case law. Using spyware to obtain identity information (eg, (eg, installing a computer programme that records which usernames and passwords are used and communicates these to a hacker) Applicable law(s) The act of using spyware (independent from what the offender would do with the stolen information) would likely qualify as: - a violation of the data protection act, since the credentials are likely to be considered personal data which are being unlawfully processed; - unlawful access to a computer system or data carrier; and - acquiring or obtaining access equipment or codes for computer systems or other similar data. Case law available? To our knowledge there is no relevant case law. Trafficking in unlawfully obtained personal information information (eg, (eg, selling databases of email addresses to email marketeers) Applicable law(s) The act of trafficking in unlawfully obtained information would likely qualify as: - a violation of the data protection act, since the personal information would be unlawfully processed; 237 RAND Europe National Profiles - unlawful use of personal data; may be committed only in connection with the public administration. Case law available? To our knowledge there is no relevant case law. ID theft reporting mechanisms The Office for Personal Data Protection The Office for Personal Data Protection is an independent body supervising the observance of statutory requirements in the processing of personal data and deals with complaints from citizens concerning alleged infringements of the relevant legislation. The Office may impose sanctions (penalties) for breaches of the Data Protection Act that constitute administrative torts. Police of the Czech Republic Where ID theft can be considered a violation of criminal law the incident is to be reported to the Police in line with standard procedures. No special reporting mechanism has been established. Other sites The following websites focus on safety on the Internet. The first one forms part of the EU program ‘Safer Internet’, the second and third websites have been endorsed by the Czech Police and Ministry of Education. - http://www.saferinternet.cz/o-projektu - http://www.emag.cz/komiks-bezpecny-internet/ - http://www.internethotline.cz/co-a-jak-hlasit-co-nehlasit.htm Personal assessment of the framework for combating ID theft Globally, it can be concluded that the legal framework for combating ID theft incidents in the Czech Republic is sufficiently comprehensive, as there do not appear to be any examples of ID theft incidents that are not covered under the present legislation. The Czech Republic has adopted a new law significantly changing the punishment of cybercrime. With its entry into effect on 1 January 2010, the new Criminal Code is includes a range of provisions sanctioning cybercrime. The proposals for these provisions were based on the 238 RAND Europe National Profiles Cybercrime Convention approved by the Committee of Ministers of the European Council in 2001 (the Convention), which the Czech Republic signed in 2005 (but which has yet to be ratified by the Czech Republic). Current regulations Until the end of 2009, Section 257a of the former Criminal Code contained only one provision which explicitly described and dealt with what could be referred to as cybercrime. The subject matter of this Section was the protection of computer data stored on a carrier of information against intentional unauthorised alteration, destruction or unauthorised use, as well as the protection of computers (computer systems) from unauthorised interference. A number of new criminal offences have only been introduced as of 1 January 2010 by the new Criminal Code. Until then, the activities covered by these offences were prosecuted as other, more generally described, criminal offences. For these reasons the present total number of prosecuted, accused and convicted offenders for cybercrime is relatively low, however it may be assumed that these numbers will increase significantly over the next years. Another related issue is the lack of incentives to report ID theft. For example, the banks and other financial institutions whose clients fell victim to ID theft are often reluctant to report these crimes to the law enforcement authorities out of fear for reputational damage and loss of credibility, and they prefer instead to compensate their clients for any financial losses. Legal consequences The new Criminal Code takes into consideration recent developments in information technology and the know-how of cybercriminals, heralding a significant change in the prosecution of cybercrime in the Czech Republic. 239 RAND Europe National Profiles Denmark Applicable laws Laws focusing explicitly on ID theft No legislation has been introduced in Denmark that focuses explicitly on ID theft as a specific crime, or that defines such a crime. In practice, ID theft incidents are combated using the general provisions below (in relation to personal data protection, fraud, etc.). No such legislation is currently under consideration according to available information. Other laws that may apply to ID theft incidents Data protection laws Relevant law Act no 429 of 31 May 2000 on processing of personal information (persondataloven) Reference See https://www.retsinformation.dk/Forms/R0710.aspx?id=828 Main provisions in As under the Data Protection Directive 95/46/EC, ID theft relation to ID theft incidents will typically constitute unlawful processing, as it will violate legitimacy requirements, proportionality obligations and the purpose restriction (article 5), transparency obligations (article 28 and 29), security obligations (article 41) and formal obligations such as the prior notification to the Danish Data Protection Officer Privacy (article 48). Prescribed sanction Apart from damages that the victim may receive in civil proceedings, the violations above can also be criminally sanctioned with fines or imprisonment for up to 4 months. Communications secrecy secrecy laws – existence and technical aspects of electronic communication Relevant law Consolidation Act no 780 of 28 June 2007 on competition and consumer relations within the tele communications market (Lovbekendtgørelse om konkurrence- og forbrugerforhold på telemarkedet) Reference See https://www.retsinformation.dk/Forms/R0710.aspx?id=29326 Main provisions in Article 13 of the Act states that owners, providers of tele relation to ID theft communication networks and employers of the provider are not 240 RAND Europe National Profiles aloud unlawfully to pass on or exploit information about the users’ use of the network. Furthermore the owners and providers must take the necessary steps to ensure that the information is not available to third parties. Prescribed sanction Apart from damages that the victim may receive in civil proceedings a violation of article 13 can be criminally sanctioned with fines. Communications secrecy laws – contents of electronic communication Relevant law The Criminal Code – Consolidation Act no 1034 of 29 October 2009 (Straffeloven) Reference See https://www.retsinformation.dk/Forms/R0710.aspx?id=126465 Main provisions in Article 263 (1)(3) prohibits the use of a device to record or listen relation to ID theft in on private communications. Article 263(2) prohibits to unlawful access third parties information and computer programs to be used in an information system. Prescribed sanction Apart from damages that the victim may receive in a civil proceedings: • Violations of article 263(1)(3): Fines or imprisonment for up to 6 months. • Violations of article 263(2): Fines or imprisonment for up to 1 year and 6 months. • Imprisonment for violations of either article 263(1)(3) or 263(2) may increase to 6 years if the information are trade secrets or the violation in another way is considered to be gross or for article 263(2) if the violation is organised or systematic. Criminal Law Fraud Relevant law The Criminal Code – Consolidation Act no 1034 of 29 October 2009 (Straffeloven) Reference See https://www.retsinformation.dk/Forms/R0710.aspx?id=126465 241 RAND Europe National Profiles Main provisions in relation to ID theft Fraud in general is punished by Article 279 of the Criminal Code. This article sanctions any act of using deception (including use of false names or titles, or any other type of deceptive manipulation or abuse of good faith or credulity) with a view of unlawfully appropriating someone else’s money or property. This would apply to any ID theft incidents involving the use of a falsified identity to appropriate money or property. Prescribed sanction Apart from damages that the victim may receive in civil proceedings, violations of article 279 can be criminally sanctioned with fines and imprisonment for up to 1 years and 6 months and in case of gross violations for up to 6 years. Forgery with respect to identity (ie, (ie, falsifying identities on a document) Relevant law The Criminal Code – Consolidation Act no 1034 of 29 October 2009 (Straffeloven) Reference See https://www.retsinformation.dk/Forms/R0710.aspx?id=126465 Main provisions provisions in Forgery is punished by Article 171. The clause covers both relation to ID theft electronic documents and paper documents in situations where the document does not purport from the stated issuer or the content of the original document has been changed. Prescribed sanction Apart from damages that the victim may receive in civil proceedings violations can be criminally sanctioned with imprisonment with up to 1 year and 6 months and in case of gross violations for up to 6 years. Cybercrime - illegal access to information systems (hacking) Relevant law The Criminal Code – Consolidation Act no 1034 of 29 October 2009 (Straffeloven) Reference See https://www.retsinformation.dk/Forms/R0710.aspx?id=126465 Main Illegal access to information systems is prohibited by Article 263(2) provisions in which prohibits unlawful access to third parties information and relation to computer programs to be used in an information system. ID theft Article 263 a prohibits unlawful distribution of codes and other means of access protecting access to non-commercial information systems in the following situations: • If the codes or other means are sold commercially or the distribution is made to a larger group of people and informaton 242 RAND Europe National Profiles system is not public available • If a larger number of codes or other means is distributed • If the codes or other means protects access to systems of importance to the society or to systems holding sensitive personal data. In this situation obtaining the codes or other means is also prohibited Article 301 a prohibits unlawful distribution of codes and other means of access protecting access to commercial information systems where users have to pay to get access. Prescribed sanction Apart from damages that the victim may receive in civil proceedings violations can be criminally sanctioned with imprisonment with up to 1 year and 6 months and in case of gross violations for up to 6 years. Cybercrime – illegal data interference Relevant law Reference No specific regulation on illegal data interference except for the situation where the interefence is done with the purpose to Main provisions in commit fraud (se below) relation to ID theft Prescribed sanction Cybercrime – computercomputer-related forgery Relevant law Reference No specific regulation on computer-related forgery. The general rule on forgery (Article 171 of the Criminal Code applies – see Main provisions in above) relation to ID theft Prescribed sanction Cybercrime – computercomputer-related fraud Relevant law The Criminal Code – Consolidation Act no 1034 of 29 October 2009 (Straffeloven) Reference See https://www.retsinformation.dk/Forms/R0710.aspx?id=126465 Main provisions Computer-related fraud is punished by Article 279 a of the Criminal in relation to Code. Article 279 a prohibits anyone form unlawfully appropriate ID theft someone else’s money or property by changing, adding or deleting information or computer programs meant for electronic data processing 243 RAND Europe National Profiles or otherwise unlawfully seek to affect the output of such data processing. Prescribed sanction Apart from damages that the victim may receive in civil proceedings violations can be criminally sanctioned with imprisonment with up to 1 year and 6 months and in case of gross violations for up to 6 years. Application in practice Claiming a false identity onon-line (eg, (eg, creating an account on a social networking site such as Facebook under someone else’s name) Applicable law(s) Such an incident would likely involve: - violation of data protection laws, since personal data of the victim would likely be unlawfully processed to make the false identity believable (eg, publication of the victim's name, address, photo, etc.); - forgery if the forgery changed the legal impact of the information; - fraud and/or computer-related fraud, if the false identity was used to unlawfully appropriate money or property. Case law available? No known case law Unlawfully using another person’s credentials (eg, (eg, using someone else’s username or password to send emails emails in his/her name) Applicable law(s) Most of the qualifications above could apply, depending on how the credentials were used: - violation of the data protection act, since the credentials are likely to be considered personal data which is being unlawfully processed; - violation of communication secrecy laws, if use of the credentials can be qualified as unlawful access to data related to electronic communication (eg, to make bank transfers); - fraud and/or computer-related fraud, if falsified messages were sent to unlawfully appropriate money or property; - illegal access to information systems, if the credentials were used to access a system without authorisation. Case law available? Several cases are known in relation to using a third party’s stolen credit card, which is found to constitute fraud. 244 RAND Europe National Profiles Phishing (using emails emails and/or falsified websites to trick users into giving up identity information, eg, to collect enough information to log on to someone else’s bank account) Applicable law(s) The act of phishing itself (independent from what the perpetrator would do with the stolen information) would likely be: - a violation of the data protection act, since the credentials are likely to be considered personal data which is being unlawfully processed; - violation of communication secrecy laws, if the collection of the credentials can be qualified as unlawful access to data related to electronic communication; - fraud if falsified messages were sent to unlawfully appropriate money or property. Case law available? No known case law. Using spyware to obtain identity information (eg, (eg, installing a computer programme that records which usernames and passwords are used and communicates these to a hacker) Applicable law(s) The act of using the spyware itself (independent from what the perpetrator would do with the stolen information) would likely be: - a violation of the data protection act, since the credentials are likely to be considered personal data which is being unlawfully processed; - violation of communication secrecy laws, if the collection of the credentials can be qualified as unlawful access to data related to electronic communication; - illegal access to information systems, since installing the spyware is likely a violation of access rights. Case law available? In a case from 2000 decided by the Eastern High Court a person was convicted for getting access to a third party’s computer and passwords by using a hacker program. The hacker was sentenced to imprisonment with suspended extension. The length of imprisonment was not decided. The case is published in Ugeskrift for Retsvæsen, 2000, p. 1450. The result was the same in another case from 2002 published in Ugeskrift for Retsvæsen, 2002, p. 1064. 245 RAND Europe National Profiles Trafficking in unlawfully obtained personal information (eg, (eg, selling databases of email addresses to email marketeers) Applicable law(s) The act of trafficking in unlawfully obtained information would likely be: - a violation of the data protection act, since the personal information would be unlawfully processed; - a violation of the prohibition against distributing codes or other means of access to information systems under Article 263 a of the Criminal Code if the personal information contained such codes or other means. Case law available? No known case law. ID theft reporting mechanisms The Danish banks all have a reporting mechanism when passwords for credit cards or Internet bank systems have been compromised. No general ID theft reporting mechanisms exist in Denmark. The Danish IT and Telecom Agency has launched a website called ‘IT-citizen’ which also provides information on security aspects, including ID theft, see http://www.itborger.dk/sikkerhed Personal assessment of the framework for combating ID theft It seems that the legal framework for combating ID theft incidents in Denmark is sufficiently comprehensive, as there do not appear to be any examples of ID theft incidents which are not covered under present legislation. Some criticisms have been raised that creating a false identity on-line would not be prohibited under Danish law. However it must be expected that such actions would be covered by the Danish data protection act and further by articles under the Criminal Code depending on how the false profile is created and which information is received, cf. above. It could be considered a weakness that no general contact point for reporting ID theft exists. However at present this does not seem to have caused any public criticisms. 246 RAND Europe National Profiles Estonia Applicable laws Laws focusing explicitly on ID theft The main provisions that regulate the ID theft in Estonia as a specific crime or that define such a crime are written in the Estonian Penal Code. In Estonia criminal offences, including identity theft, can only be regulated in the Penal Code. Under the Penal Code identity theft has been criminalised since 15.03.2007. The law enforcement authorities are also improving public awareness (for example through their web pages) of ID theft risks. Other laws that may apply to ID theft incidents Data protection laws Relevant law Reference Personal Data Protection Act (Isikuandmete kaitse seadus), entered into force 1 January 2008. Available electronically at https://www.riigiteataja.ee/ert/act.jsp?id=12909389 as in force on 19 April 2010. Main provisions in relation to ID theft The Data Protection Act provides that processing of personal data is permitted only with the consent of the data subject unless otherwise provided by law (§ 10). Also it enacts regulations of disclosure of personal data (§ 11); processing of personal data after death of data subject (§ 13); personal data protecting requirements security measures/obligations (§ 24 and § 25); and supervision (§ 32). Generally the Personal Data Protection Act is in line with the Data Protection Directive 95/46/EC. Prescribed sanction Violation of the obligation to register the processing of sensitive personal data, violation of the requirements regarding security measures to protect personal data or violation of other requirements for the processing of personal data are punishable by a fine of up to 18,000 EEK (approx. 1,150 EUR). The same act, if committed by a legal person, is punishable by a fine of up to 500,000 EEK (approx. 32,050 EUR). Violation of the requirements regarding security measures to protect personal data or violation of other requirements for the processing of personal data prescribed in this Act, if a precept 247 RAND Europe National Profiles issued to the person by the Data Protection Inspectorate on the basis of § 40 of this Act for the elimination of the violation is not complied with, is punishable by a fine of up to to 18,000 EEK (approx. 1,150 EUR). The same act, if committed by a legal person, is punishable by a fine of up to 500,000 EEK (approx. 32,050 EUR). Communications secrecy laws – existence and technical aspects of electronic communication Relevant law The Constitution of the Republic of Estonia (Eesti Vabariigi Põhiseadus), entered into force on 3 July 1992. Electronic Communications Act (Elektroonilise side seadus), entered into force on 1 January 2005. Penal Code (Karistusseadustik), entered into force on 1 September 2002. Reference The above sources are available electronically at https://www.riigiteataja.ee/ert/act.jsp?id=12846827 https://www.riigiteataja.ee/ert/act.jsp?id=13247210 https://www.riigiteataja.ee/ert/act.jsp?id=13286633 as in force on 19 April 2010. Main provisions in The general provision comes from the Constitution of the relation to ID theft Republic of Estonia. § 43 provides that everyone has the right to confidentiality of messages sent or received by him by post, telegraph, telephone or other commonly used means. Exceptions may be made by court authorisation to prevent a criminal offence, or to ascertain the truth in criminal proceeding, in cases and pursuant to procedures provided by law. The Electronic Communications Act makes the provider of the electronic communications services responsible for maintenance of security of the data, including personal data of the users. § 101 of the Electronic Communications Act provides that a communications undertaking must guarantee the security of a communications network and prevent third persons from accessing the data specified in subsection 102 (1) of this section without legal grounds. If clear and present danger exists to the security of the communications network, the communications undertaking shall immediately inform the subscriber of such danger in a reasonable manner and, if elimination of the danger by the undertaking is impossible, the information shall cover also possible means to 248 RAND Europe National Profiles combat the threat and any costs related thereto. § 158 sanctions the violation of confidentiality of radiocommunications. It provides that obtaining and using, by third persons not engaged in radio-communication, information by means of radio transmission equipment concerning persons engaged in radio-communication and messages transmitted by them is punishable. § 187 sets forth that violation of the obligation to maintain the confidentiality of information concerning a user which becomes known in the process of provision of communications services is punishable. The Estonian Penal Code sanctions in § 156 the violation of confidentiality of messages. It provides that the violation of the confidentiality of a message communicated by a letter or other means of communication is punished. Prescribed Prescribed sanction Violations of § 158 can be punished by a fine of up to 18,000 EEK (approx. 1,150 EUR). The same act, if committed by a legal person, is punishable by a fine of up to 50,000 EEK (approx 3,200 EUR). Violations of § 187 can be punished by a fine of up to 12,000 EEK (766 EUR). The same act, if committed by a legal person, is punishable by a fine of up to 30,000 EEK (approx 1,923 EUR). Violation of § 156 of the Penal Code can be punished by a pecuniary punishment. The same act if committed by a person who has access to the message, due to performance of his or her official duties, is punishable by a pecuniary punishment or with imprisonment up to one year. Criminal Law Fraud Relevant law Penal Code (Karistusseadustik), entered into force on 1 September 2002. Reference Available electronically at https://www.riigiteataja.ee/ert/act.jsp?id=13286633 as in force on 19 April 2010. Main provisions in Fraud in general is punishable under § 209 of the Estonian Penal relation to ID theft Code. This article provides that a person who receives proprietary benefits by knowingly causing a misconception of existing facts shall be punished. This would apply to any ID theft incidents 249 RAND Europe National Profiles involving the use of a false identity to gain proprietary benefits. Prescribed sanction Violations of § 209 can be punished by a pecuniary punishment or with imprisonment up to 3 years. The same act if committed by a legal person is sanctioned with pecuniary punishment. In case of a legal person, the court may impose a pecuniary punishment of fifty thousand up to two hundred and fifty million EEK (approx. 3,194-15,968,318 EUR) on the legal person. A pecuniary punishment may be imposed on a legal person also as a supplementary punishment together with compulsory dissolution of the legal person itself. Forgery with respect to identity (ie, (ie, falsifying identities on a document) Relevant law Penal Code (Karistusseadustik), entered into force on 1 September 2002. Reference Reference Available electronically at https://www.riigiteataja.ee/ert/act.jsp?id=13286633 as in force on 19 April 2010. Main provisions in Forgery is punishable under § 344 and following of the Penal relation to ID theft Code, including: • § 344: counterfeiting a document, seal or blank document form on the basis of which it is possible to obtain rights or release from obligations; • § 345: use of a counterfeit document, seal or blank document form with the intention to obtain rights or release from obligations; • § 346: destruction, damages to, theft or concealment of an official document, seal or stamp; • § 347: falsification of an important identity document; • § 348: knowing use of or grant of permission to use a falsified important identity document; • § 349: a person who uses an important identity document issued in the name of another person or grants permission to another person to use an important identity document issued in his or her own name, with the intention to obtain rights or release from obligations; • § 157(2) it regulates the illegal use of another persons identity. Transmission of personal data which enables to identify the person without his or her consent, to create 250 RAND Europe National Profiles access to the data and to make it available for use by another person can be sanctioned. Prescribed sanction • Violations of § 344 can be sanctioned with pecuniary punishment or imprisonment up to one year. The same act, if committed by a legal person, is punishable with a pecuniary punishment. • Violations of § 345 can be sanctioned with pecuniary punishment or imprisonment up to 3 years. The same act, if committed by a legal person, is punishable with a pecuniary punishment. • Violations of § 346 can be sanctioned with a fine or detention. There is no regulation for legal persons. • Violations of § 347 can be sanctioned with pecuniary punishment or imprisonment up to 5 years. The same act, if committed by a legal person, is punishable with a pecuniary punishment. • Violations of § 348 can be sanctioned with pecuniary punishment or imprisonment up to 3 years. There is no regulation for legal persons. • Violations of § 349 can be sanctioned with pecuniary punishment or imprisonment up to 3 years. There is no regulation for legal persons. • Violations § 157(2) can be sanctioned with pecuniary punishment or imprisonment up to 3 years. There is no regulation for legal persons. Cybercrime - illegal access to information systems (hacking) Relevant law Penal Code (Karistusseadustik), entered into force on 1 September 2002. Reference Available electronically at https://www.riigiteataja.ee/ert/act.jsp?id=13286633 as in force on 19 April 2010. Main provisions in § 217 of the Penal Code provides that unlawful access to a relation to ID theft computer system by way of removal or circumvention of a code, theft password or other protective measure is punishable. Prescribed sanction Violations of § 217 can be sanctioned with pecuniary punishment or imprisonment up to 3 years. If the same act is committed by a legal person, it is sanctioned with pecuniary 251 RAND Europe National Profiles Cybercrime – illegal data interference Relevant law Penal Code (Karistusseadustik), entered into force on 1 September 2002. Reference Available electronically at https://www.riigiteataja.ee/ert/act.jsp?id=13286633 as in force on 19 April 2010. Main provisions in Illegal data interference is punishable under § 206 of the Penal relation to ID theft Code. (1) Illegal alteration, deletion, damaging or blocking of data or programmes within computer systems, or illegal uploading of data or programmes into computer systems is punishable. (2) It is also punishable, when it is committed against a computer system of a vital sector or if significant damage has been caused. Prescribed sanction Violations of § 206 can be sanctioned respectively with (1) pecuniary punishment or imprisonment up to three years; (2) pecuniary punishment or imprisonment up to five years. If the same act is committed by a legal person, then it is punished by a pecuniary punishment. punishment. Cybercrime – computercomputer-related forgery Relevant law Penal Code (Karistusseadustik), entered into force on 1 September 2002. Reference Available electronically at https://www.riigiteataja.ee/ert/act.jsp?id=13286633 as in force on 19 April 2010. Main provisions in Computer-related forgery is punishable under § 216(1) of the relation to ID theft Estonian Penal Code. This § provides for that a person who, for the purposes of committing the criminal offences provided in sections 206, 207, 208, 213 or 217 of the Penal Code prepares, possesses, disseminates or makes available in any other manner a device, program, password, protective code or other data necessary for accessing a computer system, or uses, disseminates or makes available in any other manner the information necessary for the commission of the criminal offences specified in this section shall be punished. Prescribed sanction Violations of § 216(1) can be sanctioned with a pecuniary punishment or imprisonment up to three years. 252 RAND Europe National Profiles If the same act is committed by a legal person, then it is punished with a pecuniary punishment. Cybercrime – computercomputer-related fraud Relevant law Penal Code (Karistusseadustik), entered into force on 1 September 2002. Reference Available electronically at https://www.riigiteataja.ee/ert/act.jsp?id=13286633 as in force on 19 April 2010. Main provisions in Illegal access to information system is punishable under § 213 of relation to ID theft the Penal Code. This article is regulating computer-related fraud and provides for that a person who receives proprietary benefits by unlawful entering, altering, deleting, damaging or blocking computer programs or data or by doing other unlawful interference with a data processing operation shall be punished. Prescribed sanction sanction Violation of this article can be sanctioned with a pecuniary punishment or imprisonment up to 5 years. The same act, if committed by a legal person, is punishable with a pecuniary punishment. Application in practice In this section below, we will examine if/how these regulations are applied in practice, including of any known case law and resulting sanctions. Claiming a false identity onon-line (eg, (eg, creating an account on a social networking site such as Facebook under someone else’s name) Applicable Applicable law(s) Such an incident would likely involve: - violation of Data Protection Act. Consent of data subject is needed when processing personal data; - violation of communication secrecy laws, if the false profile results in messages being sent to the false profile which were intended for the real recipient and violation of confidentiality of messages (Criminal Code 156); -violation of the Criminal Code sanctions, under § 157(1), unlawful processing of sensitive personal data and under § 157(2) the illegal use of another person’s identity; - forgery and/or computer-related forgery if the forgery changed 253 RAND Europe National Profiles the legal impact of the information; - fraud and/or computer-related fraud, if the false identity was used to unlawfully appropriate property; Case law available? available? No known case law. Unlawfully using another person’s credentials (eg, (eg, using someone else’s username or password to send emails emails in his/her name) Applicable law(s) Most of the qualifications above could apply, depending on how the credentials were used: - violation of the Data Protection Act, since the credentials are likely to be considered personal data which are being unlawfully processed; - fraud and/or computer-related fraud if falsified messages were sent to unlawfully appropriate property; - illegal access to information systems, if the credentials were used to access a system without authorisation; Case law available? The Estonian Supreme Court (‘Riigikohus’) dealt with cases where third party’s Bank Identifier Codes have been used to get access to Internet Bank Account. The Supreme Court found this to constitute computer-related fraud. Estonian version of the decision: http://www.nc.ee/?id=11&tekst=222509079; case nr: 3-1-1-8307. Decision made on 21 April, 2008. Phishing (using emails emails and/or falsified websites to trick users into giving up identity information, eg, to collect enough information to log on to someone else’s bank account) Applicable law(s) The act of phishing would likely be: - a violation of the data protection act, since the credentials of natural persons are likely to be considered personal data which are being unlawfully processed; - fraud and/or computer-related fraud, if falsified messages were sent to unlawfully appropriate property; - illegal data interference, if the act of phishing involved entering, changing or deleting information in an information system without authorisation or mislead users into giving away sensitive information. Case law available? No known case law. 254 RAND Europe National Profiles Using falsified identity documents (identity cards, social security cards or passports) to unlawfully apply for social benefits Applicable law(s) The act of using falsified identity documents would likely be: - violation of Data Protection Act since personal data is being unlawfully processed; - such an incident would likely involve violation of § 157(2) and § 344 -349 of Estonian Penal Code. Case law available? For example the Estonian Supreme Court ruled on a case in 2009 where a person falsified an important identity document (ex § 347 of the Criminal Code), id est a passport, to conclude a buying contract of mobile phones. Estonian version of the decision: http://www.nc.ee/?id=11&tekst=RK/3-1-1-48-09; case nr: 3-1-148-09. Decision made on 8 June, 2009. eg, selling databases of Trafficking in unlawfully obtained personal information ((eg, email addresses to email marketeers) Applicable law(s) The act of trafficking in unlawfully obtained information would likely be: - violation of Data Protection Act. Personal information would be unlawfully processed and consent of data subject is needed when processing personal data; - violation of communication secrecy laws, if the personal information contained data related to electronic communication. Case law available? No known case law. ID theft reporting mechanisms Victims of ID theft or identity-related incidents are recommended to contact the local Police directly. The website118 of the Estonian Police and Border Guard Board provides for information about ID crimes and how to protect ourselves for that and how to contact the police if you are a victim of ID theft or IT crime. The police also provides for information about fraud and computer-related fraud. To raise Computer Security and ID theft awareness among the general public several websites have been launched: 118 http://www.politsei.ee/et/nouanded/it-kuriteod/ 255 RAND Europe National Profiles • http://www.arvutikaitse.ee (a blog style website on information security – reflects up to date online threats; provides for information on anti-virus and anti-spyware software etc.); • http://www.infosecurity.ee (a Russian language version of the http://www.arvutikaitse.ee website, however the content is not 100 percent identical); • http://laste.arvutikaitse.ee (a website directed at children and youths in an effort to raise awareness of online risks among these age groups); • http://www.assapauk.ee (contains reconstructed educational videos on actual cases of persons falling victim of online malpractices; the website also includes instructional videos on how to reduce online risks, ie, about how to protec your password, to choose a strong password, about identity theft and protection of privacy online, about avoiding suspicious content). Personal assessment of the framework for combating ID theft The legal framework for combating ID theft incidents in Estonia is sufficiently comprehensive and flexible. There do not appear to be any examples of ID theft incidents which are not covered under present legislation. The only weakness is that the country does not have any ID theft reporting mechanisms (websites) but there is always the possibility to report the malpractice to the Police. Victims of ID theft are required to go through official channels to report about the theft (ie, registering a complaint with local police). This process can be slow and it seems that ID theft does not appear to take high priority in investigations, except in case of clear and significant harm to the victim, even if it can be quite hard to produce evidence of it. 256 RAND Europe National Profiles Finland Applicable laws Laws focusing explicitly on ID theft No legislation has been introduced in Finland that focuses explicitly on ID theft as a specific crime, or that defines such theft as a crime. However, stealing and/or using someone else’s ID would most likely constitute violation of other provisions of law (eg, Personal Data Act, 523/1999, and Criminal Code, 39/1889). The Finnish Ministry of the Interior has set up a working party to assess the protection of ID by legal means and the report of the work should be published during the spring of 2010. Pursuant to the initial information given by the Ministry of the Interior, the working party will not be proposing criminalization of ID theft as a specific crime but will submit this issue to be further considered by the Finnish Ministry of Justice. Other laws that may apply to ID theft incidents Data protection laws Relevant law Personal Data Act (in Finnish: Henkilötietolaki, 523/1999) Reference See http://www.finlex.fi/fi/laki/ajantasa/1999/19990523 Main provisions in The Personal Data Act is the main Act in Finland in relation to relation to ID theft protection of privacy and most of the rules of this Act are implemented from the Data Protection Directive (95/46/EC). The provisions of the Act apply to the processing of personal data, unless otherwise provided elsewhere in the law. For example, Section 8 defines general prerequisites for processing personal data and Section 13 includes the rules on processing of a personal identity number. Prescribed sanction There are several possible sanctions. The authority in question (the Data Protection Ombudsman) may prohibit the processing of personal data and such prohibition may be reinforced with a threat of fine. Further, the violation of the Personal Data Act may be criminally sanctioned with fines unless a more severe penalty is provided in the Criminal Code. 257 RAND Europe National Profiles Communications secrecy laws – existence and technical aspects of electronic communication Relevant law The Act on the Protection of Privacy in Electronic Communications (Sähköisen viestinnän tietosuojalaki 516/2004) Reference See http://www.finlex.fi/fi/laki/alkup/2004/20040516 Main provisions in relation to ID theft Section 4, Confidentiality of messages: as a general principle all messages and identification data are confidential. Section 5, Non-exploitation: the use of the content of a confidential message or identification data is forbidden without the consent of a party to the communication. Section 6, Protecting messages and identification data: the possession, importing, manufacture and distribution of any system or part of a system for decoding the technical protection of electronic communications is prohibited if the system is primarily intended for unlawful decoding of technical protection. Prescribed sanction The sanctions for wilful violations of the provisions can be fines unless a more severe penalty is provided elsewhere in legislation. Communications secrecy laws – contents of electronic communication Relevant law Criminal Code (Rikoslaki, 39/1889) Reference See http://www.finlex.fi/fi/laki/ajantasa/1889/18890039001 Main provisions in Chapter 38 of the Criminal Code defines the data and relation to ID theft communications offences. The following provisions can be applicable: Section 3, Message interception: hacking into the contents of an electronic or other technically recorded message which is protected from outsiders or obtaining information on these contents. Section 4, Aggravated message interception: for example if in the message interception the offence is committed by using a computer program or special technical device designed or altered for such purpose, or the message that is object of the offence is especially confidential, or the act constitutes a grave violation of the protection of privacy. 258 RAND Europe Prescribed sanction National Profiles The sanctions for violations can be the following: • Violations of section 3 can be sanctioned with a fine or an imprisonment for up to one year at the most. • Violations of section 4 can be sanctioned with an imprisonment for up to three years at the most. Fraud Relevant Relevant law Criminal Code (Rikoslaki, 39/1889) Reference See http://www.finlex.fi/fi/laki/ajantasa/1889/18890039001 Main provisions in Fraud is punished by Sections 1, 2 and 3 of Chapter 36 of the relation to ID theft Criminal Code as follows: Section 1, Fraud: causing economic loss by deceiving another or taking advantage of an error of another and the offence is committed in order to obtain financial benefit or in order to harm another. Section 2, Aggravated fraud: for example if the fraud involves the seeking of considerable benefit, causes considerable or particularly significant loss, is committed by taking advantage of special confidence based on a position of trust or is committed by taking advantage of special weakness or other insecure position of another. Section 3, Petty fraud These provisions would apply to any ID theft incidents involving the use of a falsified identity to appropriate property. Prescribed sanction The sanctions for violations can be the following: • Violations of section 1 can be criminally sanctioned with a fine or an imprisonment for up to two years at the most. • Violations of section 2 can be criminally sanctioned with an imprisonment between four months and four years, ie, for four months at least and four years at the most. • Violations of section 3 can be criminally sanctioned with a fine. Forgery with respect to identity (ie, (ie, falsifying identities on a document) 259 RAND Europe National Profiles Relevant law Criminal Code (Rikoslaki, 39/1889) Reference See http://www.finlex.fi/fi/laki/ajantasa/1889/18890039001 Main provisions in Forgery is punished by Sections 1, 2 and 3 of Chapter 33 of the relation to ID theft Criminal Code as follows: Section 1, Forgery: Preparing a false document or other item of falsifying such a document or item in order for it to be used as misleading evidence or using a false or falsified item as misleading evidence. Section 2, Aggravated forgery. Section 3, Petty forgery. These provisions would apply to any ID theft incidents involving the falsified document of for example the other person’s passport, driving license etc. used by the means of misleading. Prescribed sanction The sanctions for violations can be the following: • Violations of section 1 can be criminally sanctioned with a fine or an imprisonment for up to two years at the most. • Violations of section 2 can be criminally sanctioned with an imprisonment between four months and four years, ie, for four months at least and four years at the most. • Violations of section 3 can be criminally sanctioned with a fine. Defamation Relevant Relevant law Criminal Code (Rikoslaki, 39/1889) Reference See http://www.finlex.fi/fi/laki/ajantasa/1889/18890039001 Main provisions in Defamation is punished by Sections 19 and 10 of Chapter 24 of relation to ID theft the Criminal Code as follows: Section 9, Defamation: Spreading false information or a false insinuation of another person so that the act is conducive to causing damage or suffering to that person or subjecting that person to contempt. Section 10, Aggravated defamation: for example when the offence is committed by using the mass media or making the information available to many persons. 260 RAND Europe Prescribed sanction National Profiles Defamation can be related to ID thefts when someone uses a false identity for example in the media and writes something that is conductive to causing damage or suffering to the victim of ID theft. (Writing with a stolen identity is not a crime unless the act constitutes an offence.) The sanctions for violations can be the following: • Violations of section 9 can be criminally sanctioned with a fine or imprisonment for up to six months at the most. • Violations of section 10 can be criminally sanctioned with a fine or an imprisonment for up to two years at the most. Cybercrime - illegal access to information systems (hacking) Relevant law Criminal Code (Rikoslaki, 39/1889) Reference See http://www.finlex.fi/fi/laki/ajantasa/1889/18890039001 Main provisions in Chapter 38 of the criminal code defines the data and relation to ID theft communications offences. The following provisions can be applicable: Section 8, Computer break-in: Unlawful hacking into computer systems, where data is processed, stored or transmitted electronically or otherwise, by using stolen access codes or otherwise breaking a protection. Also without hacking into a computer system by using a special technical device unlawfully obtaining information contained in a computer system is criminal. Section 8 a, Aggravated computer break-in: The above defined (Section 8) actions conducted as part of the activity of a organized criminal group, or in a particularly methodical manner and the computer break-in is aggravated also when assessed as a whole. Section 9, Data protection offence: processing data in violation of the Personal Data Act by the way of causing damage or significant inconvenience to another person is prohibited. This would apply to any ID theft incidents involving the use of false credentials to gain unauthorized access to an information system, or to steal credentials from such a system. 261 RAND Europe Prescribed sanction National Profiles The sanctions for violations can be the following: • Violations of section 8 can be sanctioned with a fine or an imprisonment for up to one year at the most. • Violations of section 8 a can be sanctioned with a fine or an imprisonment for up to two years at the most. • Violations of section 9 can be sanctioned with a fine or an imprisonment for up to one year at the most. Cybercrime – illegal data interference Relevant law Criminal Code (Rikoslaki, 39/1889) Reference See http://www.finlex.fi/fi/laki/ajantasa/1889/18890039001 Main provisions in Chapter 38 of the criminal code defines the data and relation to ID theft communications offences which can be: Section 7 a, Interference in a computer system: entering, transferring, damaging, altering or deleting data or in another manner unlawfully preventing the operation of a computer system or causing serious interference. Section 7 b, Aggravated Interference in a computer system. This would apply to any ID theft incidents involving the falsifying of identity information stored in an information system. Prescribed sanction The sanctions for violations can be the following: • Violations of section 7 a can be criminally sanctioned with a fine or an imprisonment for up to two years at the most. • Violations of section 7 b can be sanctioned with an imprisonment between four months and four years, ie, for four months at least and four years at the most. Cybercrime – computercomputer-related forgery Relevant law Reference Please see above the information on forgery. Main provisions provisions in relation to ID theft 262 RAND Europe National Profiles Prescribed sanction Cybercrime – computercomputer-related fraud Relevant law Reference Main provisions in Please see above the information on fraud. relation to ID theft Prescribed sanction Application in practice Claiming a false identity onon-line (eg, (eg, creating an account on a social networking site such as Facebook under someone else’s name) Applicable law(s) Such an incident would likely involve: - violation of the Personal Data Act, since personal data of the victim would likely be unlawfully processed to make the false identity believable (for example publication of the victim's name, address, photo, etc.); - violation of the Act on the Protection of Privacy in Electronic Communications, if the false profile results in messages being sent to the false profile which were intended for the real recipient; - forgery, if the forgery changed the legal impact of the information; - fraud, if the false identity was used to unlawfully appropriate property. - defamation, if the false identity was used in a way that would be conductive to causing damage or suffering to the victim of ID theft. Case law available? No known case law, ie, we are not aware of any case law. Unlawfully using another person’s credentials (eg, (eg, using using someone else’s username or password to send emails emails in his/her name) Applicabl e law(s) Most of the qualifications above could apply, depending on how the credentials were used: - violation of the Personal Data Act, since the credentials are likely to be 263 RAND Europe National Profiles considered as personal data which is being unlawfully processed; - violation of the Act on the Protection of Privacy in Electronic Communications, if use of the credentials can be qualified as unlawful access to data related to electronic communication (for example to make bank transfers); - fraud, if falsified messages were sent to unlawfully appropriate property; - illegal access to information systems, if the credentials were used to access a system without authorisation. Case law There are several cases specifically in relation to using a third party’s stolen available? credit card. Paying purchases with a stolen credit card is considered as a fraud in Finland. However, most of these offences are not made on-line. For example, in 2009 the Kouvola Court of Appeal ruled that usage of a found credit card and falsifying the signature when paying by the card constituted a fraud and forgery. The defendant was sentenced to imprisonment for one month but the sentence included two petty thefts as well (the district court had sentenced him to imprisonment for two months). A copy of the decision can be found here: http://www.edilex.fi/oikeuskaytanto/ho/kouho20091207/?search=oikeuskayta nto. Phishing (using emails emails and/or falsified websites to trick users into giving giving up identity information, eg, to collect enough information to log on to someone else’s bank account) Applicable law(s) The act of phishing itself (independent from what the perpetrator would do with the stolen information) would likely be: - a violation of the Personal Data Act, since the credentials are likely to be considered personal data which is being unlawfully processed; - violation of the Act on the Protection of Privacy in Electronic Communications, if the collection of the credentials can be qualified as unlawful access to data related to electronic communication; - fraud, if falsified messages were sent to unlawfully appropriate property; - illegal data interference, if the act of phishing involved entering, changing or deleting information in an information system without authorisation (for example in order to falsify a website). Case law available? No known case law, ie, we are not aware of any case law. 264 RAND Europe National Profiles Using spyware to obtain identity information (eg, (eg, installing a computer programme that that records which usernames and passwords are used and communicates these to a hacker) Applicable law(s) The act of using the spyware itself (independent from what the perpetrator would do with the stolen information) would likely be: - a violation of the Personal Data Act, since the credentials are likely to be considered personal data which is being unlawfully processed; - violation of the act on the Protection of Privacy in Electronic Communications, if the collection of the credentials can be qualified as unlawful access to data related to electronic communication; - illegal access to information systems, since installing the spyware is likely a violation of access rights; - illegal data interference, since installing the spyware likely involves installing software on the victim’s information system without authorisation. Case law available? No known case law, ie, we are not aware of any case law. eg, selling databases of Trafficking in unlawfully obtained personal information ((eg, email addresses to email marketeers) Applicable law(s) The act of trafficking in unlawfully obtained information could be: - a violation of the Personal Data Act, since the personal information would be unlawfully processed; - a violation of the Act on the Protection of Privacy in Electronic Communications , if the personal information contained data related to electronic communication (like email addresses, IP addresses, etc). Case law available? No known case law, ie, we are not aware of any case law. ID theft reporting mechanisms http://www.poliisi.fi In Finland one can report ID theft to a police if it involves a suspected crime. It is possible to do an electrical report of an offence via police’s website. The website offers special forms for reporting crimes. 265 RAND Europe National Profiles http://www.viestintavirasto.fi Finnish Communications Regulatory Authority (in Finnish: Viestintävirasto) is an authority which maintains an overview of the functionality of electronic communications networks and information security, and reports of eventual information security threats. There is a form for reporting information security offences available in the website as well as basic instructions on information security matters. http://www.tietosuoja.fi It is possible to inform all cases which involve the misuse of personal data to the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto) which is an independent authority operating in connection with the Ministry of Justice. The website includes a lot of information on data protection in general as well. http://www.kuluttajavirasto.fi The Consumer Agency (Kuluttajavirasto) offers practical information and advices on various matters relating to consumers. The website presents information on for example phishing of personal data. Personal assessment of the framework for combating ID theft The main challenge/problem in Finland seems to be that ID theft itself is not criminalized and so the Criminal Code covers certain forms/types of ID thefts only. As described above, ID theft is not a criminal offence unless it involves unlawfully appropriating of property (fraud) or spreading false information or a false insinuation of another person so that the act is conducive to causing damage or suffering to that person or subjecting that person to contempt (defamation). Further, one can argue it is problematic that in cases of fraud the injured party of ID theft is not considered to be the person whose identity has been stolen but for example the store where the purchase was made with the false ID. Based on the above, one can likely argue the current legislation does not protect the ‘real’ injured party enough. The Finnish Data Protection Ombudsman is of the opinion that ID theft (itself) should be criminalized in Finland; he has several times and strongly expressed his opinion in the media. However, it has been stated by the working party of the Finnish Ministry of the Interior (as described in Section 1.1. above) that from the technical legislative perspective (formulation/wording of the legislation etc.) criminalizing of ID theft is a relatively complicated matter. 266 RAND Europe National Profiles France Applicable laws Laws focusing explicitly on ID theft The French Criminal Code contains a specific provision for ID theft (Article 434-23). In order an ID theft to qualify as crime, two conditions should be met: (1) the thief has to assume the name of another person. The Supreme Court has recently ruled in that sense that the concept of name should include an email address.119 However, the use of a false name that does not correspond to an existing natural person will not fall under the scope of application of this article.120 (2) the ID theft should lead or might have led to the initiation of a criminal prosecution against the victim. This is for instance the case if the ID theft prevents the victim from obtaining a French passport to which he is entitled.121 The wording of this article therefore leaves out a number of cases wherever ID theft does not trigger any legal or economic consequence for the victim. Such acts are nowadays pursued under other crimes such as libel or misappropriation of correspondence. However, conducts which do not constitute by themselves a crime will remain unpunished. This is for instance the case of fraudulent use of emails by third parties for, for example, affiliating the victim to a political party or other associations. Similarly, phishing can not be currently punished under Criminal Law if not followed by potential initiation of criminal prosecution against the victim. In order to solve this legal loophole, the creation of a new crime that would punish ID theft in electronic communications is currently being discussed by the French Parliament. If approved, the act (known as LOPPSI 2122) would introduce a new article into the Criminal Law Code. The text has been so far approved by both Chambers in first reading. The article 2 of LOPPSI 2 introduces a new article 222-16-1 to the Criminal Code worded as follows (according to the version approved by the Parliament on 16 February 2010):123 119 Cour de Cassation, Chambre Criminelle, 20 January 2009. Available online at : http://www.foruminternet.org/specialistes/veille-juridique/jurisprudence/cour-de-cassation-chambrecriminelle-20-janvier-2009-2852.html?decoupe_recherche=usurpation%20d'identité 120 Cour de Cassation, Chambre criminelle, 10 Mars 2010, N° 09-81.948, not published 121 Cour de Cassation, Chambre criminelle, 26 May 2009, N° 08-87.752, not published 122 Loi d’orientation et de programmation pour la performance de la sécurité intérieure (LOPPSI2), the preparatory works are available online at : http://www.assembleenationale.fr/13/dossiers/lopsi_performance.asp 123 Unofficial translation. The French text reads as follows: « Le fait de faire usage, sur un réseau de communications électroniques, de l’identité d’un tiers ou de données de toute nature permettant de l’identifier, en vue 267 RAND Europe National Profiles ‘The fact of using on a network of electronic communications, the identity of another person or data of any kind that allows his of her identification in order to disturb the peace of that person or another person is punishable by one year of imprisonment and a fine of 15,000 €. Shall be punished in similar terms the fact of making use, on an electronic communication network, of the identity of another person or data of any kind that allows his or her identification, in order to affect his/her honour or consideration.’ Two modifications were made to the text as originally worded in the Law proposal: 1) the condition of repetition, originally foreseen to qualify the ID theft as crime (in the first of the two cases contemplated by this article) was suppressed; 2) the reference to ‘data of any kind allowing for the identification of the victim’ has replaced the original one of victim’s ‘personal data’. Both modifications contribute to the broadening of the scope of this article. As now worded, the crime of ID theft counts of two elements: • Material element: the use of a third party’ identity or of any other data allowing his or her identification on an electronic communication network. This includes the fraudulent use of emails but also the fraudulent posting in blogs or social networking sites. The rapporteur, Eric Ciotti, clearly indicates that this article intends to punish ID thefts that would not trigger economic consequences but the victim but of less tangible impact such as in case of defamation. • Intentional element: this use should pursue the aim of disturbing the peace of a third party or impinge on his or her honour or reputation. This new article would be placed under Title II of Book II of the Legislative Part of the Penal Code entitled « deliberate damage to physicial or mental integrity of persons » ( « atteintes volontaires à l’intégrité physique ou psychiques des personnes »), after article 222-16 that punishes malicious calls. In this sense, the rapporteur notes that the very object of the ID theft as worded under the new article, disturbance of public peace, is similar to the one of malicious calls. The new article 222-16-1 foresees identical sanctions as the ones for malicious calls : one year prison term and 15.000€ fine. These sanctions are aggravated when the ID theft is committed by a legal person. The amount of the fine is raised to 75.000 €. Legal persons can moreover be dissolved (when the legal person has been created to perpetuate the de troubler la tranquillité de cette personne ou d’autrui, est puni d’un an d’emprisonnement et de 15.000€ d’amende. Est puni de la même peine le fait de faire usage, sur un réseau de communication électroniques, de l’identité d’un tiers ou de données de toute nature permettant de l’identifier, en vue de porter atteinte à son honneur ou à sa considération » 268 RAND Europe National Profiles crime); a temporary or definitive prohibition to exercise, directly or indirectly, the social or professional activity in which the offense has been committed, can be ordered, as well as a placement under judicial supervision or exclusion or suspension of public procurement (article 139 of the Criminal Code). Other laws that may apply to ID theft incidents The right to privacy Relevant law Civil Code Reference See http://www.legifrance.gov.fr Main provisions in Article 9 of the Civil Code acknowledges a right to privacy. Theft relation to ID theft incident because they often result in the disclosing of information related to the victim’s privacy might interfere into this right. Prescribed sanction Read together with article 1382 of the Civil Code that regulates civil liability, violations of the right to privacy will result in the compensation for the injury suffered by the victim. Data protection laws Relevant law Act n°78-17 of 6 January 1978 on data processing, data files and individual liberties (Loi n° 78-17 du 6 Janvier 1978 relative à l'informatique, aux fichiers et aux libertés) Reference See http://www.cnil.fr/en-savoir-plus/textes-fondateurs/loi78-17/ Main provisions in As under the Data Protection Directive 95/46/EC, ID theft relation incidents will constitute an unlawful processing, whenever it is rela tion to ID theft based on an automatic processing of personal data or a nonautomatic processing of personal data that is or may be contained in a personal data filing system. It would then violate legitimacy requirements (article 7), proportionality obligations and the purpose restriction (article 6), transparency obligations (article 32), security obligations (article 34) and formal obligations such as the prior notification to the French Privacy Commission (article 22). Prescribed sanction Apart from damages that the victim may receive in civil proceedings, the violations above can also be criminally sanctioned with five years prison terms and fines of 300.000 EUR. 269 RAND Europe National Profiles Forgery with respect to identity (ie, (ie, falsifying identities on a document) Relevant law Criminal Code (Code Pénal) Reference See http://195.83.177.9/code/index.phtml?lang=uk Main provisions in Forgery is punished by Article 441-1 and following of the relation to ID theft Criminal Code, and refers to any fraudulent alteration of the truth liable to cause harm and made by any means in a document or other medium of expression of which the object is, or effect may be, to provide evidence of a right or of a situation carrying legal consequences. Articles 441-2 and following punish a series of aggravate conducts: Prescribed sanction • Art. 441-2: forgeries committed in a document delivered by a public body for the purpose of establishing a right, an identity or a capacity, or to grant an authorisation; • Art. 441-3: forgeries in an authentic or public document or a record prescribed by a public authority; • Art. 441-5: Unlawfully procuring for another person a document delivered by a public body for the purpose of establishing a right, an identity or capacity, or the grant of an authorisation. • Art. 441-6: Unlawfully obtaining from a public administration or from an institution discharging a public service mission, by any fraudulent means, any document intended to establish a right, an identity or a capacity, or to grant an authorisation Apart from damages that the victim may receive in a civil proceedings: • Violations of article 441-1 (general public) can be criminally sanctioned with imprisonment of 3 years and a fine of 45.000€. • Violations of article 441-2 can be criminally sanctioned with imprisonment of 5 years and a fine of 75.000€. When committed by a person holding public authority or discharging a public service mission acting in the exercise of his office; habitually or with the intent to facilitate the commission of a felony or to gain immunity for the perpetrator, sanctions can be increased up to 7 years’ imprisonment and a fine of 100.000€. • Violations of article 441-3 can be criminally sanctioned with imprisonment of 2 years and a fine of 30.000€. 270 RAND Europe National Profiles • Violations of article 441-4 can be criminally sanctioned with imprisonment of 10 years and 150.000€ fine. If committed by a person holding public authority or to discharge a public service mission whilst acting in the exercise of his office or mission, sanctions could amount to 15 years’ imprisonment and 225.000€’s fine. • Violations of article 441-5 can be criminally punished by 5 years’ imprisonment and a fine of 75.000€. If committed by a person holding public authority or to discharge a public service mission whilst acting in the exercise of his office or mission, sanctions could amount to 7 years and 100.000€ fines. Cybercrime - illegal access to information systems (hacking) Relevant law Criminal Code Reference See http://195.83.177.9/code/index.phtml?lang=uk Main provisions in Illegal access to information systems is punished by Article 323-1 relation to ID theft of the Criminal Code, including accessing or remaining within all or part of an automated data processing system, causing the suppression or modification of data contained in that system or any alteration of the functioning of that system. Article 323-2 forbids obstructing or interfering with the functioning of an automated data processing system. Article 323-3 punishes the fraudulent introduction of data in an automated data processing system or the fraudulent deletion or modification of the data that it contains. Article 323-3-1 sanctions persons who, without lawful authority, imports, possesses, offers, transfers or makes available any equipment, instrument, computer programme or information created or specially adapted to commit one or more of the offences prohibited by articles 323-1 to 323-3. This would apply to any ID theft incidents involving the use of false credentials to gain unauthorized access to an information system, to steal credentials from such a system, or to fraudulently introduce or alter information within a computer system. Prescribed sanction Apart from damages that the victim may receive in a civil proceedings: • Violations of article 323-1 can be criminally sanctioned with fines of 30.000 EUR and imprisonment of 2 years. • Violations of article 323-2 can be criminally sanctioned 271 RAND Europe National Profiles Brand counterfeiting Relevant law Intellectual Property Code Reference See: http://www.legifrance.gouv.fr/affichTexte.do?cidTexte=LEGITEX T000006070722&dateTexte=vig Main provisions in Articles L.713-1 and following prohibit, unless authorized by the relation to ID theft owner of the brand: • The reproduction, use or affixing of a mark • The suppression or modification of a duly affixed mark • The imitation of a mark and the use of an imitated mark for goods or services that are identical or similar to those designated in the registration This article may be used in cases such as phishing where the ID theft results in the unlawful use of the victim brand. Prescribed sanction Violations of this article may result in a fine up to three years of imprisonment and a fine up to 300.000€. with fines of 75.000 EUR and imprisonment of 5 years. • Violations of article 323-3 can be criminally sanctioned with fines of 75.000 EUR and imprisonment of 5 years. • Violations of article 323-3-1 can be punished by the penalties prescribed for offence itself. Application in practice Claiming a false identity onon-line (eg, (eg, creating an account on a social networking site such as Facebook under someone else’s name) Applicable law(s) Such an incident would likely involve: - Civil liability - ID theft if this result or may have led to criminal liability for the victim - Violation of the right to privacy and of data protection laws, since personal data of the victim would likely be unlawfully processed to make the false identity believable (eg, publication of the victim's name, address, photo, etc.); - Violation of communication secrecy laws, if the false profile results in messages being sent to the false profile which were intended for the real recipient; - ID theft in the sense of art. 434-23 if this leads or may have led 272 RAND Europe National Profiles criminal liability for the victim. - Forgery and/or computer-related forgery, if the object is, or effect may be, to provide evidence of a right or of a situation carrying legal consequences -Fraud and/or computer-related fraud, if the false identity was used to unlawfully transfer funds, valuables or any property, to provide a service or to consent to an act incurring or discharging an obligation. Case law available? Yes. Ruling of the First Instance Tribunal [Tribunal de Grande Instance] of Carcassonne of 16 June 2006. In this case, a woman used different pseudonyms in a dating service website and described herself as an ‘easy woman willing to have sexual relations’. She provided her colleague’s contact details who started receiving numerous messages from individuals eager to meet her. As a result, the colleague fell into a depression and had to ask for sickness leave. The convicted woman was deemed liable for volunteer duress (violences volontaires) with premeditation and had to compensate both her victim and the Public Health Insurance. A copy of the decision can be found here: http://www.legalis.net/breves-article.php3?id_article=1645 Unlawfully using another person’s credentials (eg (eg, eg , using someone else’s username or password to send emails emails in his/her name) Applicable law(s) Most of the qualifications above could apply, depending on how the credentials were used: - - ID theft if this result or may have led to criminal liability for the victim - Violation of the right to privacy and of the data protection act, since the credentials are likely to be considered personal data which is being unlawfully processed; - violation of communication secrecy laws, if use of the credentials can be qualified as unlawful access to data related to electronic communication; - fraud and/or computer-related fraud, if the false identity was used to unlawfully transfer funds, valuables or any property, to provide a service or to consent to an act incurring or discharging an obligation. - illegal access to information systems, if the credentials were used to access a system without authorisation. 273 RAND Europe Case law available? National Profiles Yes, Ruling of the Supreme Court of 20 January 2009. The authors of the crime had published pictures of the victim naked on Internet making use of her email address. The offenders have been convicted on the basis of article 434-23 of the Penal Code (ID theft) and the right to privacy. Decision available at: http://www.foruminternet.org/specialistes/veillejuridique/jurisprudence/cour-de-cassation-chambre-criminelle20-janvier-2009-2852.html Libel Relevant law Press Act of 29 July 1881 Reference See: http://www.legifrance.gouv.fr/affichTexte.do?cidTexte=LEGITEX T000006070722&dateTexte=vig Main provisions provisions in Article 29 punishes any allegation of a fact which undermines the relation to ID theft honour or reputation of the person or body to which the act is attributed Prescribed sanction Violations of this article may result in a fine up to 12.000€. When libel is committed because of the race, religion, gender, sexual orientation or physical handicap, sanctions arise to 1 year of imprisonment and a fine of 45.000€. Using spyware to obtain identity information information (eg, (eg, installing a computer programme that records which usernames and passwords are used and communicates these to a hacker) Applicable law(s) The act of using the spyware itself (independent from what the perpetrator would do with the stolen information) would likely be: - a violation of the data protection act, since the credentials are likely to be considered personal data which is being unlawfully processed; - violation of communication secrecy laws, if the collection of the credentials can be qualified as unlawful access to data related to electronic communication; - illegal access to information systems, since installing the spyware is likely a violation of access rights; 274 RAND Europe National Profiles - illegal data interference, since installing the spyware likely involves installing software on the victim’s information system without authorisation. - ID theft, if the stolen data would be qualified as ‘name’ by the jurisprudence (such as emails) and if this could resul tin criminal liability for the victim. Case law available? No known case law. eg, selling databases of Trafficking in unlawfully obtained personal information ((eg, email addresses to email marketers) market ers) Applicable law(s) The act of trafficking in unlawfully obtained information would likely be: - a violation of the data protection act, since the personal information would be unlawfully processed; Case law available? No known case law. Phishing (using emails emails and/or falsified websites to trick users into giving up identity information, eg, to collect enough information informat ion to log on to someone else’s bank account) Applicable law(s) The act of phishing itself (independent from what the perpetrator would do with the stolen information) would likely be: - a violation of the data protection act, since the credentials are likely to be considered personal data which is being unlawfully processed; - fraud and/or computer-related fraud, if the false identity is used to unlawfully transfer funds, valuables or any property, to provide a service or to consent to an act incurring or discharging an obligation. - illegal access to information systems, if the false identity were used to access a system without authorisation. - Brand counterfeiting Case law Yes, two rulings of the High Court of Paris of 2 September 2004 and 21st available? September 2005. In the ruling of 2004, the First Instance Tribunal of Paris sanctioned a phishing attack on the basis of fraud, unlawful access to a computer system and unlawful alteration of data contained in such system. The convicted had mirrored a bank website and by these means managed to order transfers of funds of his victims to chosen bank accounts.1 The offender has also been convicted for attempted fraud and fraudulent access to an automated data 275 RAND Europe National Profiles processing system and received a suspended prison sentence of one year and a fine of 8,500 euros.1 In the ruling of 2005, the Court punished a phishing act on the basis of brand counterfeiting. The Court considered that this mirror website owned illegally the brand Microsoft and reproduced and disclosed without prior authorisation the registration page of MSN Hotmail. 1 The sanction remains however low (500 euros of fine in suspended sentenced and 700 euros of damages to be paid to Microsoft) because of the young age of the offender and the fact that no personal data had been gathered. These ruling are available online at: • Tribunal de Grande Instance de Paris, 13rd Chambre, 2 September 2004, Ministère public, Crédit Lyonnais et Caisse nationale du Crédit agricole c/ Radhouan M. et autres: http://www.foruminternet.org/specialistes/veillejuridique/jurisprudence/tribunal-de-grande-instance-de-paris-13echambre-2-septembre-2004.html • Tribunal de grande instance de Paris 31ème chambre Jugement du 21 septembre 2005, Microsoft Corporation / Robin B. : http://www.legalis.net/jurisprudence-decision.php3?id_article=1520 Example of case law about ID theft and official documents forgery: The Appeal Court of Amiens (Criminal Chamber) has ruled in a judgement of 16 September 2009 ( n°09/00345)that the acquisition of a third party’s passport where the offender had further replace the photography of the third party by his, and the use of this passport to move across France and other countries was constitutive of the crime of ID theft as punished under article 434-23 of the Criminal Code. The offender had also used the falsified identity to buy a car, register this car before the public administration and obtain a driving license unlawfully. The act is also punished under the crime of fraud and use of official documents forgery (articles 441-1, 441-2, 441-3 of the Criminal Code). The Appeal Court confirms the judgement of the First Instance Tribunal of two years imprisonment for ID theft and other 2 years for fraud and document forgery. ID theft reporting mechanisms There are no specific ID theft reporting mechanisms in France. Several public awareness campaigns have been launched on the basis of private initiatives, mainly related to financial ID theft. As online consultation of bank accounts and conducting online transactions have become the second activity of French Internet users, French banks have undertaken initiatives to 276 RAND Europe National Profiles raise awareness of the risks involved in online banking to Internet users. The Federation of French Banks, FBF [Fédération Bancaire Française], helped to sponsor a campaign to help teach people how to use the Internet safely. As part of this almost three million brochures, comics and books were distributed in branch offices (of banks) and on bank websites. Advice was included on how to detect and avoid phishing, and the importance of antivirus software on computers. Banks also sent letters to their customers and post alert messages online warning of potential dangers. The FBF regularly update their practical guide to secure online banking which is available on www.fbf.fr and www.lesclesdelabanque.com websites.124 In addition, e-commerce actors have offered specific tool bars to enable users to identify secure websites.125 The Forum of Rights on Internet also published several on-line guides and fact sheets for Internet users in order to provide them with useful tools for preventing abuses or defending themselves against such abuses. It is worth mentioning, for instance, the guide on on-line shopping126 published on the 17 November 2005 and updated regularly since then, which furthermore includes some advice against phishing. This guide includes advices for every step of the purchase, from the selection of the online merchant to the payment process and the exiting recourses in case of problem. A specific part is dedicated to C2C websites. The edition of 2008 furthermore includes advices on online video games and online trips booking. The guide ends with a short quiz. Personal assessment of the framework for combating ID theft Globally, it seems that the legal framework for combating ID theft incidents in France is sufficiently comprehensive, as there appear to be few examples of ID theft incidents which are not covered under present legislation. Actually, identity fraud offence as punished under the Criminal Code is hardly used in legal procedures when it comes to online identity fraud. Other crimes are better suited to protect the victims from these practices such as fraud or unauthorised access to an information system. However, whenever identity theft does constitute by itself an offense, for instance when a person steals the digital identity of another without further using it, it would remain unprotected. 124 Information extracted from FBF, Press release ‘Banks mobilise to increase Internet security’, 31 December 2005, available on-line at: http://www.fbf.fr/web/internet/content_europe.nsf/(WebPageList)/662BED67AF6A21F4C12571710056085 8 (last accessed on 31 October 2007) 125 C. Guillemin, Des barres d'outils pour Internet Explorer et Firefox protègent du ‘phishing’, ZdNet, 4 January 2005. 126 Forum des droits sur l’Internet, Online purchase : follow the guide [Achats en ligne : suivez le guide], edition 2008 available on-line at : http://www.foruminternet.org/particuliers/guides/IMG/pdf/Guidedesachatsenligne2008.pdf, last accessed on 3 December 2007 277 RAND Europe National Profiles The introduction of a new crime of digital ID theft will solve this legal loophole and better address the problems raised by online ID theft. The last wording of the article would allow covering a broad range of cases, not limited by the concept of ‘name’ or of ‘personal data’. 278 RAND Europe National Profiles Germany Applicable laws Laws focusing explicitly on ID theft No legislation has been introduced in Germany that focuses explicitly on ID theft as a specific crime and hence defines such an ID theft crime. In practice, ID theft incidents are combated using the general provisions of the laws set forth below, in particular in relation to the laws concerning the right to one’s own name, the protection of personal data against unauthorised use, and the criminal offences of data espionage, data interception, datarelated forgery, fraud, computer-related fraud, data alteration and computer sabotage. No legislative initiative that specifically addresses ID theft prevention is currently under consideration to our knowledge. Instead, as information security and ID theft concerns rise in society, the policy debate in Germany increasingly focuses on improving awareness of ID theft risks with consumers, businesses, state agencies and law enforcement bodies. Other laws that may apply to ID theft incidents Data protection laws Relevant law Reference 1. Federal Data Protection Act (Bundesdatenschutz-gesetz; Abbreviation: BDSG), in the version promulgated on 14 January 2003, last amended by law of 14 August 2009; and complementary the respective data protection legislation of the federal states 2. Telecommunications Act (Telekommunikations-gesetz; Abbreviation: TKG), in the version promulgated on 22 June 2004, last amended by law of 17 February 2010; in particular sections 88 ff. TKG concerning secrecy of telecommunications, and sections 91 ff. TKG concerning protection of data privacy 3. Teleservices Act (Gesetz über die Nutzung von Telemedien; Abbreviation: TMG), in the version promulgated on 26 February 2007, last amended by law of 14 August 2009; in particular sections 11 ff. TMG concerning protection of data privacy 1. BDSG: http://bundesrecht.juris.de/bdsg_1990/ 2. TKG: http://bundesrecht.juris.de/tkg_2004/ 279 RAND Europe National Profiles 3. TMG: http://bundesrecht.juris.de/tmg/ Main provisions in ID theft incidents will typically constitute unlawful data relation processing, in particular because ID theft incidents requiring the relat ion to ID theft unauthorised collection, alteration, transmission and use of personal data may involve the violation of legitimacy requirements, permission requirements, transparency obligations, secrecy obligations, security obligations and reporting requirements. Prescribed sanction Apart from damages that the victim may receive in civil proceedings, violations of certain BDSG provisions may be punished by administrative fines of up to 50.000 EUR (section 43 (1), (3) BDSG), or of up to 300.000 EUR (section 43 (2), (3) BDSG, and violations of certain TKG provisions may be punished by administrative fines of up to 10.000 EUR, of up to 50.000 EUR, of up to 100.000 EUR, of up to 300.000 EUR, or of up to 500.000 EUR (section 149 (1), (2) TKG), and violations of certain TMG provisions may be punished by administrative fines of up to 50.000 EUR (section 16 (2), (3) TMG). As a basic principle, administrative fines for violations against BDSG or TKG provisions shall exceed the economic benefit that the proprietor has obtained from such administrative offence. Furthermore, violations of certain BDSG provisions may be punished as a criminal offence with imprisonment of not more than 2 years or a fine if the proprietor has deliberately acted with the intent to obtain unlawful gain or cause unlawful damage (sections 43 (2), 44 (1) BDSG), and violations of certain TKG provisions concerning secrecy of telecommunications may be punished as a criminal offence with imprisonment of not more than 2 years or a fine (sections 89, 148 (1) Nr.1 TKG). Communications secrecy laws concerning electronic communication Relevant law 1. Telecommunications Act (Telekommunikations-gesetz; Abbreviation: TKG), in the version promulgated on 22 June 2004, last amended by law of 17 February 2010; in particular sections 88 ff. TKG concerning secrecy of telecommunications 2. Criminal Code (Strafgesetzbuch; Abbreviation: StGB), in the version promulgated on 13 November 1998, last amended by law of 2 October 2009 280 RAND Europe Reference National Profiles 1. TKG: http://bundesrecht.juris.de/tkg_2004/ 2. StGB: http://bundesrecht.juris.de/stgb/ Main provisions in Sections 88 ff. TKG aim to protect the secrecy of relation telecommunications. Any form of online electronic data relation to ID theft interchange is within their scope. In particular, section 88 TKG generally applies to unlawful acts in which a third party obtains information on someone else’s electronic communications or its technical characteristics – such as protocols, IP addresses, passwords, or security codes used – without permission and in which this information is abused. Apart from sections 88 ff. TKG, the secrecy of data transmission is protected by section 202b StGB. Section 202b StGB criminalises illegal data interception: Whosoever unlawfully intercepts data not intended for him, for himself or another, by technical means from a non-public data processing facility or from the electromagnetic broadcast of a data processing facility, commits a criminal offence pursuant to section 202b StGB. Furthermore, section 202a StGB criminalises illegal data espionage: Whosoever unlawfully obtains data for himself or another that were not intended for him and were especially protected against unauthorised access, if he has circumvented the protection, commits a criminal offence pursuant to section 202a StGB. Section 202c StGB criminalises the preparation of illegal data interception or illegal data espionage, as committed by the production, procurement or distribution of hacker tools. Prescribed sanction Apart from damages that the victim may receive in a civil proceedings, an act of data interception pursuant to section 202b StGB may be punished as a criminal offence with imprisonment of not more than two years or a fine (section 202b StGB), and an act of data espionage pursuant to section 202a StGB may be punished as a criminal offence with imprisonment of not more than three years or a fine (section 202a (1) StGB). Pursuant to section 202c StGB, even acts preparatory to such data interception or data espionage may be punished as a criminal offence with imprisonment of not more than one year or a fine (section 202c (1) StGB). Fraud (in general) general) 281 RAND Europe National Profiles Relevant law Criminal Code (Strafgesetzbuch; Abbreviation: StGB), in the version promulgated on 13 November 1998, last amended by law of 2 October 2009 Reference http://bundesrecht.juris.de/stgb/ Main provisions in Section 263 StGB criminalises fraud in general: Whosoever with relation to ID theft the intent of obtaining for himself or a third person an unlawful material benefit damages the property of another by causing or maintaining an error by pretending false facts or by distorting or suppressing true facts, commits an act of fraud. Section 263 StGB requires that damage to somebody’s financial position is caused by an act of deliberate deception – such as the use of false names or titles, or any other type of deceptive manipulation or abuse of good faith or credulity – committed with the intent to obtain unlawful gain. This would apply to any ID theft incidents involving the use of a falsified identity in order to unlawfully appropriate someone else’s property. Prescribed sanction sanct ion Apart from damages that the victim may receive in civil proceedings, an act of fraud pursuant to section 263 StGB may be punished as a criminal offence with imprisonment of not more than five years or a fine (section 263 (1) StGB). In especially serious cases the penalty shall be imprisonment from six months to ten years (section 263 (3) StGB). Whosoever on a commercial basis commits fraud as a member of a gang whose purpose is the continued commission of fraud, shall be liable to imprisonment from one to ten years, in less serious cases to imprisonment from six months to five years (section 263 (5) StGB). Forgery with respect to identity (ie, falsifying identities on a document) Relevant law Criminal Code (Strafgesetzbuch; Abbreviation: StGB), in the version promulgated on 13 November 1998, last amended by law of 2 October 2009 Reference http://bundesrecht.juris.de/stgb/ Main provisions in Section 267 StGB criminalises forgery in general with respect to relation to ID theft a falsified document: Whosoever for the purpose of deception in legal commerce produces a counterfeit document, falsifies a genuine document or uses a counterfeit or a falsified document, commits an act of forgery. This would apply to any ID theft incidents involving the use of a falsified signature or falsified information on such documents which are capable of providing evidence in legal commerce. 282 RAND Europe National Profiles Furthermore, specific offences in relation to forgery are punished, including particularly: Prescribed sanction • Section 268 StGB criminalises forgery of technical records; • Section 269 StGB criminalises forgery of data intended to provide proof; • Section 270 StGB criminalises forgery in the context of falsely influencing data processing operations; • Section 271 StGB criminalises deception causing wrong entries in public records; • Section 273 StGB criminalises tampering with official identity documents; • Section 274 StGB criminalises supression of documents, technical records or legally relevant data; • Section 276 StGB criminalises acquisition of false official identity documents. Apart from damages that the victim may receive in civil proceedings, an act of forgery pursuant to section 267 StGB may be punished as a criminal offence with imprisonment of not more than five years or a fine (section 267 (1) StGB). In especially serious cases the penalty shall be imprisonment from six months to ten years (section 267 (3) StGB). Whosoever on a commercial basis commits forgery as a member of a gang whose purpose is the continued commission of forgery, shall be liable to imprisonment from one to ten years, in less serious cases to imprisonment from six months to five years (section 267 (4) StGB). Cybercrime - illegal access to information systems (hacking) Relevant law Criminal Code (Strafgesetzbuch; Abbreviation: StGB), in the version promulgated on 13 November 1998, last amended by law of 2 October 2009 Reference http://bundesrecht.juris.de/stgb/ Main provisions in Sections 202a, 202b, 303a and 303b StGB criminalise in relation to ID theft substance illegal access to data and interception and interference of data and sabotage of computer systems, and so sections 202a, 202b, 303a and 303b StGB make up the core computer crimes. Section 202c StGB criminalises the preparation of those computer crimes, as committed by the production, procurement 283 RAND Europe National Profiles or distribution of hacker tools. Section 202c StGB is Germany’s transposition of Article 6 of the Council of Europe’s Convention on Cybercrime. Section 202c StGB names two classes of hacker tools: (i) passwords or other security codes enabling access to data, or (ii) software primarily designed for committing such an offence. This is determined by the intended objective purpose. Therefore, IT security tools that are commonly recognised are not considered to be hacker tools, even if such tools can also be used with bad intent. On the other hand, malware and exploits are within the scope of section 202c StGB because their objective purpose is harmful. In any case, section 202c StGB requires the preparation act to be promotive for an intended computer crime pursuant to sections 202a, 202b, 303a or 303b StGB. Prescribed sanction Apart from damages that the victim may receive in civil proceedings, such a preparation act pursuant to section 202c StGB may be punished as a criminal offence with imprisonment of not more than one year or a fine (section 202c (1) StGB). Furthermore, an act of data espionage pursuant to section 202a StGB may be punished as a criminal offence with imprisonment of not more than three years or a fine (section 202a (1) StGB), an act of data interception pursuant to section 202b StGB may be punished as a criminal offence with imprisonment of not more than two years or a fine (section 202b StGB), an act of data tempering pursuant to section 303a StGB may be punished as a criminal offence with imprisonment of not more than two years or a fine (section 303a (1) StGB), and an act of computer sabotage pursuant to section 303b StGB may be punished as a criminal offence with imprisonment of not more than three years or a fine (section 303b (1) StGB), with imprisonment of not more than five years or a fine if the sabotaged data processing operation is of substantial importance for another’s business, enterprise or a public authority (section 303b (2) StGB), and with imprisonment from six months to ten years in especially serious cases of such computer sabotage (section 303b (4) StGB). Cybercrime – illegal data interference Relevant law Criminal Code (Strafgesetzbuch; Abbreviation: StGB), in the version promulgated on 13 November 1998, last amended by law of 2 October 2009 Reference http://bundesrecht.juris.de/stgb/ Main provisions in Section 202b StGB criminalises illegal data interception: relation to ID theft Whosoever unlawfully intercepts data not intended for him, for himself or another, by technical means from a non-public data 284 RAND Europe National Profiles processing facility or from the electromagnetic broadcast of a data processing facility, commits a criminal offence pursuant to section 202b StGB. Section 303a StGB criminalises illegal data tampering: Whosoever unlawfully deletes, suppresses, renders unusable or alters data, commits a criminal offence pursuant to 303a StGB. Prescribed sanction Apart from damages that the victim may receive in civil proceedings, an act of data interception pursuant to section 202b StGB may be punished as a criminal offence with imprisonment of not more than two years or a fine (section 202b StGB), and an act of data tempering pursuant to section 303a StGB may be punished as a criminal offence with imprisonment of not more than two years or a fine (section 303a (1) StGB). Cybercrime – computercomputer-related forgery Relevant law Criminal Code (Strafgesetzbuch; Abbreviation: StGB), in the version promulgated on 13 November 1998, last amended by law of 2 October 2009 Reference http://bundesrecht.juris.de/stgb/ Main provisions in Section 269 StGB criminalises forgery of data intended to relation to ID theft provide proof: Whosoever for the purposes of deception in legal commerce stores or modifies data intended to provide proof in such a way that a counterfeit or falsified document would be created upon their retrieval, or uses data stored or modified in such a manner, commits a criminal offence pursuant to section 269 StGB. This would apply to ID theft incidents involving the use of falsified identity information in an information system for the purposes of deception in legal commerce. Prescribed sanction Apart from damages that the victim may receive in civil proceedings, an act of data-related forgery pursuant to section 269 StGB may be punished as a criminal offence with imprisonment of not more than five years or a fine (section 269 (1) StGB). In especially serious cases the penalty shall be imprisonment from six months to ten years (sections 269 (3), 267 (3) StGB). Whosoever on a commercial basis commits datarelated forgery as a member of a gang whose purpose is the continued commission of forgery, shall be liable to imprisonment from one to ten years, in less serious cases to imprisonment from six months to five years (sections 269 (3), 267 (4) StGB). 285 RAND Europe National Profiles Cybercrime – computercomputer-related fraud Relevant law Criminal Code (Strafgesetzbuch; Abbreviation: StGB), in the version promulgated on 13 November 1998, last amended by law of 2 October 2009 Reference http://bundesrecht.juris.de/stgb/ Main provisions in Section 263a StGB criminalises computer-related fraud: relation to ID theft Whosoever with the intent of obtaining for himself or a third person an unlawful material benefit damages the property of another by in uencing the result of a data processing operation through incorrect configuration of a program, use of incorrect or incomplete data, unauthorised use of data or other unauthorised in uence on the course of the processing, commits a criminal offence pursuant to section 263a StGB. This would apply to incidents of ID theft aiming to unlawfully appropriate someone else’s property by entering, changing, altering or deleting information in an information system or modifying the operation of an information system. Prescribed sanction Apart from damages that the victim may receive in civil proceedings, an act of computer-related fraud pursuant to section 263a StGB may be punished as a criminal offence with imprisonment of not more than five years or a fine (section 263a (1) StGB). In especially serious cases the penalty shall be imprisonment from six months to ten years (sections 263a (2), 263 (3) StGB). Whosoever on a commercial basis commits computer-related fraud as a member of a gang whose purpose is the continued commission of fraud, shall be liable to imprisonment from one to ten years, in less serious cases to imprisonment from six months to five years (sections 263a (2), 263 (5) StGB). Whosoever prepares computer-related fraud by writing computer programs the purpose of which is to commit such an act, or procures them for himself or another, offers them for sale, or holds or supplies them to another, shall be liable to imprisonment of not more than three years or a fine (section 263a (3) StGB). Application in practice Claiming a false identity onon-line (eg, (eg, creating an account on a social networking networking site under someone else’s name) Applicable law Depending on the facts of the case, an act of claiming a false identity on-line could involve in particular: • The violation of a right of a person to use one’s own name, 286 RAND Europe National Profiles if the interest of the person entitled to the name is injured by the unauthorised use of the same name by another person (section 12 BGB – Civil Code, Bürgerliches Gesetzbuch; Abbreviation: BGB; Reference: http://bundesrecht.juris.de/bgb/); Case law available? • The violation of data protection laws, if personal data of the victim has been unlawfully processed to make the false identity believable (eg, publication of the victim's name, address, photo, etc.); • The violation of communication secrecy laws, if the false profile results in messages being sent to the false profile which were intended for the real recipient; • The criminal offence of forgery of data intended to provide proof, if falsified identity information capable of providing evidence has been used for the purposes of deception in legal commerce; • The criminal offence of fraud, if damage to somebody’s financial position is caused by an act of deliberate deception – such as the use of a false identity – with the intent to obtain unlawful gain; or, the criminal offence of computerrelated fraud, if this is caused by an act of deliberate manipulation of the result of a data processing operation; In civil proceedings, claimants have based their action against the unauthorised use of their name by another person on the infringement of their right to their own name pursuant to section 12 BGB. There is a string of well established cases where courts have found that this right to one’s own name entitles to forbid the unauthorised use of the same name by another person, in particular if the use of the same name causes a likelihood of confusion. This right to one’s own name may apply as well to the use of company names, trade names, domain names, and even abbreviation of names. Unlawfully using another person’s credentials (eg, (eg, using someone else’s username or password to send emails emails in his/her name) Applicable law Depending on the facts of the case, an act of unlawfully using another person’s credentials could involve in particular: • The violation of the data protection laws, if the credentials have been unlawfully processed without permission; • The violation of communication secrecy laws concerning the secrecy of electronic communication, if the credentials 287 RAND Europe National Profiles have been unlawfully obtained from someone else’s electronic data interchange without permission; Case law available? a vailable? • The criminal offences related to illegal access to information systems – including data espionage and preparatory acts for an intended data espionage, if the credentials – such as passwords or other security codes – have been used to unlawfully enable access to data without permission; • The criminal offence of fraud, if damage to somebody’s financial position is caused by an act of deliberate deception – such as the transmission of falsified messages – with the intent to obtain unlawful gain; or, the criminal offence of computer-related fraud, if this is caused by an act of deliberate manipulation of the result of a data processing operation. In both civil and criminal proceedings concerning the unauthorised use of unlawfully obtained data containing personal identity information, courts have found that the unauthorised use of such unlawfully obtained data for a transaction causing damage to the victim’s financial position may constitute a criminal offence of fraud or computer-related fraud. Phishing (using emails emails and/or falsified websites to trick users into giving up identity information, eg, to collect enough information to log on to someone else’s bank account) Applicable law Depending on the facts of the case, an act of ‘phishing’ could involve in particular: • The violation of the data protection laws, if personal data has been unlawfully processed without permission; • The violation of communication secrecy laws concerning the secrecy of electronic communication, if personal data has been unlawfully obtained from someone else’s electronic data interchange without permission; • The criminal offence of forgery of data intended to provide proof, if such ‘phishing emails’ or ‘phishing websites’ are considered to contain data capable of providing evidence which have been used for the purposes of deception in legal commerce; • The criminal offence of data espionage; • The criminal offence of data tempering; 288 RAND Europe Case law available? National Profiles • The criminal offence of computer sabotage; • The criminal offence of fraud, if damage to somebody’s financial position is caused by an act of deliberate deception – such as the transmission of falsified messages – with the intent to obtain unlawful gain; or, the criminal offence of computer-related fraud, if this is caused by an act of deliberate manipulation of the result of a data processing operation. In several cases, courts have found that the use of spyware civil proceedings where victims sued for damages, courts have found that the use of data obtained from ‘phishing’ for a transaction causing damage to the victim’s financial position may constitute a criminal offence of computer-related fraud, entitling the victim to recover damages. Using spyware to obtain identity information (eg, (eg, installing a computer program that records which usernames and passwords are used and communicates these to a hacker) Applicable law Case law available? Depending on the facts of the case, an act of using spyware in order to obtain identity information could involve in particular: • The violation of the data protection laws, if personal data has been unlawfully processed without permission; • The violation of communication secrecy laws concerning the secrecy of electronic communication, if personal data has been unlawfully obtained from someone else’s electronic data interchange without permission; • The criminal offence of data espionage; • The criminal offence of data interception; • The criminal offence of data tempering; • The criminal offence of computer sabotage; • The criminal offence of acts preparatory to an intended data espionage, data interception, data tempering or computer sabotage, if such preparatory acts have been committed by the production, procurement or distribution of hacker tools – such as spyware. Prevailing case law criminalises the act of using spyware itself as a hacker tool preparatory to an intended data espionage, data interception, data tempering or computer sabotage only if this spyware has been objectively designed or adapted primarily for 289 RAND Europe National Profiles the purpose of committing an intended data espionage, data interception, data tempering or computer sabotage. Trafficking in unlawfully obtained personal information (eg, (eg, selling databases databases of email addresses to email marketeers) Applicable law Case law available? Depending on the facts of the case, an act of ‘trafficking’ could involve in particular: • The violation of the data protection laws, if personal data has been unlawfully processed without permission; • The violation of communication secrecy laws concerning the secrecy of electronic communication, if personal data has been unlawfully obtained from someone else’s electronic data interchange without permission. In several cases, acts of illegal data trafficking have been punished with administrative fines. ID theft reporting mechanisms There is no German language website yet to be found which is dedicated solely and exclusively to ID theft where victims of ID theft could use an official reporting mechanism in order to file their charges. However, several websites focussing on Internet security and cybercrime in general offer valuable advice and guidance for consumers who seek to protect themselves against ID theft. Useful websites include: • http://www.bsi-fuer-buerger.de • http://www.datenschutz.de • http://www.bfdi.bund.de • http://www.sichere-identitaet.de • http://www.sicher-im-netz.de Personal assessment of the framework for combating ID theft In general, it seems that the legal framework for combating ID theft in Germany is sufficiently comprehensive, as there do not appear to be any relevant cases of ID theft incidents which may not be covered by the available laws at present. In my view, in particular, the adoption and revision of specific data breach disclosure laws that require firms to notify individuals when their personal information has been 290 RAND Europe National Profiles comprised can help to reduce ID theft risks – both by preventing ID theft and by reducing the victim’s losses and damages. Data breach disclosure laws can be considered as a possible remedy for ID theft. Their purpose is to help consumers to protect their personal information by requiring that state agencies and businesses that keep consumers’ personal information in a computerised data system to quickly disclose to consumers any breach of the security of the system and to immediately notify a consumer whenever the consumer’s personal information has been comprised by unauthorised disclosure – provided that the information disclosed could be used to commit ID theft. Having being notified of a breach of their personal information, consumers could then make informed decisions and take appropriate actions to protect themselves against ID theft. For example, to mitigate the risks, consumers can alert anyone who needs to be made aware of this incident – be it their banks, their credit card merchants, host providers, website operators or law enforcement bodies. The sooner consumers are notified of a breach of their personal information and therefore able to detect ID theft risks, the sooner will they be able to take mitigating actions to protect themselves against ID theft. Clearly, any notification is likely to be more successful when the warning provides relevant information that will help the consumer to make an informed decision. However, once notified, the responsibility still lies with the individual to take appropriate actions. Once notified, consumers must themselves take responsibility to respond to their own risk of ID theft and take appropriate actions to protect themselves. The effectiveness of data breach disclosure laws relies on the actions taken thereupon. Therefore, first and foremost, it is of importance to raise public awareness of ID theft risks with consumers, businesses, state agencies and law enforcement bodies. In practice, it is not the law but law enforcement that needs to be strengthened in order to enforce the protection against ID theft in the Internet. The Internet is not restricted by territorial boundaries, it crosses all borders, and therefore the investigation of Internet crimes and the enforcement of law must be enabled to cross those borders as well – and this requires international cooperation. 291 RAND Europe National Profiles Greece Applicable laws Laws focusing explicitly on ID theft No legislation has been introduced in Greece that focuses explicitly on ID theft as a specific crime, or that defines such a crime. In practice, ID theft incidents are combated using the general provisions below (in relation to personal data protection, fraud, etc.). No such legislation is currently under consideration to our knowledge. Instead, the policy emphasis in Greece is more on improving awareness of ID theft risks with potential victims and law enforcement bodies. Any natural or legal person who is victim of identity theft can make use of the protection offered by Articles 57 and 58 of the Greek Civil Code. Article 57 (Right to personality) provides that any person who has suffered an unlawful infringement on his personality has the right to claim the cessation of such infringement as also the non-recurrence thereof in the future. A claim for compensation, according to the provisions about tort, is not excluded. Similar is the provision of Article 58 (Right to name) which gives the right to any person whose name has been questioned or is being unlawfully used by somebody else to claim the cessation of the infringements and the non-recurrence thereof in the future. A claim for compensation, according to the provisions about tort, is again not excluded. According to Article 59 of the Greek Civil Code in the cases of Articles 57 and 58 the Court can condemn the responsible to satisfy the non-pecuniary damages caused. If the name in question is a trade name, then besides Article 58, it can be protected under Article 13 of law 146/1914 on unfair competition. Finally if the name serves also as a trademark, then Articles 4, 18(3) and 26(1) of law 2239/1994 on trademarks, Article 1 of law 146/1914 on unfair competition, as well as Articles 914 and 919 of the Greek Civil Code are applicable. It should be noted that Greece has still not ratified the Council of Europe Convention on Cybercrime nor has it transposed the EU Council Framework Decision 2005/222/JHA of 24 February 2005 on attacks against information systems into the Greek legal system. Other laws that may apply to ID theft incidents Data protection laws Relevant law Law 2472/1997 on the Protection of Individuals with regard to the Processing of Personal Data (Νόµος 2472/1997 «Προστασία του ατόµου από την επεξεργασία δεδοµένων προσωπικού χαρακτήρα») Reference Government Gazette (GG) Α’ 50/10.04.1997, available online (with latest amendments of Law 3783/2009) at 292 RAND Europe National Profiles http://www.dpa.gr/pls/portal/docs/PAGE/APDPX/LAW/NOM OTHESIA%20PROSOPIKA%20DEDOMENA/2472_97_AP R_10_FINAL.PDF; Unofficial translation in English of the consolidated version of the law (state as of March 2008) is done by the Hellenic DPA and is available online at http://www.dpa.gr/pls/portal/docs/PAGE/APDPX/ENGLISH_I NDEX/LEGAL%20FRAMEWORK/LAW%202472-97MARCH08-EN.PDF Main provisions in As under the Data Protection Directive 95/46/EC, ID theft relation to ID theft incidents will typically constitute unlawful processing, as it will violate the conditions of processing (article 5), proportionality obligations and the purpose restriction (article 4), transparency obligations (articles 11), confidentiality and security obligations (article 10) and formal obligations such as the notification to the Greek Data Protection Authority (article 6). Prescribed sanction Apart from the damages that the victim may receive in civil proceedings, the violations above can infer administrative sanctions (article 21) of 880 to 150.000 EUR [300.000 to 50.000.000 drachmas (GRD)]127. The violations can also be criminally sanctioned as detailed in article 22. • Violations of article 6 can be criminally sanctioned with imprisonment128 up to 3 years and fines of 2.900 to 15.000 EUR [1.000.000 to 5.000.000 GRD]. • Violations relating to unlawful interference with a personal data file can be criminally sanctioned with imprisonment up to 1 year and fines of 2.900 to 29.000 EUR [1.000.000 to 10.000.000 GRD]. • If the aforementioned violation was purported to gain unlawful financial benefit or to cause harm to a third party, the perpetrator can be criminally sanctioned with incarceration up to 10 years a fine of 5.900 to 29.000 EUR [2.000.000 to 10.000.000 GRD]. • If the aforementioned acts have jeopardised the free operation of democratic governance or national security, then the sanction imposed shall be incarceration and a fine amounting between 15.000 and 29.000 EUR 127 Law 2472/1997 on the Protection of Individuals with regard to the Processing of Personal Data refers to the sanctions in Greek Drachmas (GRD). However the conversion to EUR is made based on the provisions of Articles 3-5 of Law 2943/2001, GG A’ 203/12.09.2001 128 Ít is clarified that according to the Greek Penal Code: Custody ( Imprisonment ( ) is between 10 days and 5 years; Incarceration ( unless explicitly mentioned that it is for life 293 ) is between 1 day and 1 month; ) is between 5 years and 20 years, RAND Europe National Profiles [5.000.000 and 10.000.000 GRD]. Communications secrecy laws Relevant law Law 3471/2006 ‘Protection of personal data and privacy in the electronic telecommunications sector and amendment of law 2472/1997’129 (Νόµος υπ’ αριθ. 3471/2006 «Προστασία δεδοµένων προσωπικού χαρακτήρα και της ιδιωτικής ζωής στον τοµέα των ηλεκτρονικών επικοινωνιών και τροποποίηση του ν. 2472/1997») Reference Government Gazette (GG) Α’133/28.06.2006, available online at http://www.dpa.gr/pls/portal/docs/PAGE/APDPX/LAW/NOMO THESIA%20PROSOPIKA%20DEDOMENA/3471_2006.PDF; Unofficial translation in English is done by the Hellenic DPA and is available online at translation by the Hellenic DPA, available online at http://www.dpa.gr/pls/portal/docs/PAGE/APDPX/ENGLISH_I NDEX/LEGAL%20FRAMEWORK/LAW%203471-2006EN.PDF. Main provisions in Article 4(5) on Confidentiality states that ‘Electronic relation to ID theft communications networks may not be used to store information or to gain access to information stored in the terminal equipment of a subscriber or user, particularly with the use of spyware, hidden identifiers or other similar devices. Exceptionally, any technical storage or access is permitted, when its sole purpose is to carry out or facilitate the conveyance of information through an electronic communications network, or when strictly necessary for the provision of information society services explicitly requested by the user or subscriber […].’ The provision generally applies to the use of electronic communications networks of all kinds in order to obtain information stored in the terminal equipment of the subscriber or the user and it would apply to any ID theft incidents requiring the collection/abuse of such data. 129 Article 5(7) of Law 3471/2006 was recently amended by Article 8 of law 3783/2009 on the identification of owners and users of mobile telephony equipment and services and other provisions, GG A’ 136/07.08.2009 ( µ 3783/2009: π π µ π ). Article 5(7) of Law 3471/2006 was amended as follows: ‘The provider of electronic communications services available to the public has to, to the degree that this is technically feasible and it is allowed by the present law, make possible the payment of these services in an anonymous way or via pseudonym. In cases of questioning of the technical feasibility of anonymous or pseudonymous payment of these services, the Hellenic Telecommunications & Post Commission (EETT) gives its opinion’ 294 RAND Europe National Profiles It is interesting to note that in Article 2(3) passwords are mentioned as an example of traffic data. Therefore it is interesting to take a closer look to the provisions relating to the protection of traffic data in this law, the violation of which is also applicable in the case of passwords: Article 5 (Processing regulations) states that the processing of traffic data is only allowed (a) when the user or subscriber has provided consent upon notification as to the type of data, the aim and extent of their processing and the recipient or categories of recipients, or (b) the processing is necessary for the implementation of the agreement to which the user or subscriber is party, or to take measures, during the pre-agreement stage, upon application by the subscriber. The provider of the public communications network or of the publicly available electronic communications service is neither allowed to use the data or to transfer them to third parties for other purposes, unless when the user or the subscriber has given his clear and explicit consent (article 5(4)). The calling line non-identification option can be cancelled only (a) on a temporary basis, upon application of a subscriber requesting the tracing of malicious or nuisance calls (article 8(7)(a)), or (b) for emergency calls to the competent public authorities (article 8(7)(b)). Article 15(1) of this Law additionally prohibits the unlawful use, collection, storage, taking knowledge of, extraction, alteration, destruction, transfer, disclosure, making accessible personal data [including traffic or location data] or the making them available to unauthorised persons or allowing such persons to take notice of such data or exploitation of the data in any way whatsoever. If the perpetrator purported to gain unlawful benefit on his behalf or on behalf of another person or to cause harm to a third party (article 15(3)), then the crime is punished with stricter sanctions (see below). Prescribed sanction Apart from damages that the victim may receive in a civil proceedings: • Anyone who unlawfully uses, collects, stores, takes knowledge of, extracts, alters, destroys, transfers, discloses, makes accessible personal data [including traffic or location data] or makes them available to unauthorised persons or allows such persons to take notice of such data or exploits the data in any way whatsoever, can be criminally sanctioned with imprisonment up to 1 year 295 RAND Europe National Profiles and a fine amounting between 10.000 and 100.000 EUR, unless otherwise subject to more serious sanctions (article 15(1)). • Any data controller or representative thereof who does not comply with the acts of the Data Protection Authority imposing the administrative sanctions of provisional licence revocation, of permanent licence revocation, of file destruction or interruption of processing and destruction of the pertinent data, can be criminally sanctioned with imprisonment of at least 2 years and a fine amounting between 12.000 and 120.000 EUR (article 15(2)). • If the perpetrator of the aforementioned acts purported to gain unlawful financial benefit on his behalf or on behalf of another person or to cause harm to a third party (article 15(3)), can be criminally sanctioned with incarceration up to 10 years and with a fine of 15.000 and 150.000 EUR. If the aforementioned acts have jeopardised the free operation of democratic governance or national security, the perpetrator shall be punished with incarceration and a criminal fine amounting between 50.000 and 350.000 EUR. Communications secrecy laws – Confidentiality of communications Relevant law Penal Code (Ποινικός Κώδικας) Reference Presidential Decree 283/1985, GG A’ 106/31.05.1985, as modified. Main provisions in Article 370 forbids the violation of the confidentiality of letters. relation to ID theft Article 370A was added in order to forbid the violation of the confidentiality of telephone communication and oral conversation. More specifically it forbids: • Unfair interception or otherwise intervention with a device, connection or network for the provision of telephony services or hardware or software used for the provision of such services aiming at receiving himself or a third party information or recording on physical means the content of the telephone conversation between third parties or the traffic or location data of such communication (article 370A(1)). • Unfair monitoring using special technical equipment or recording on physical means the oral conversation between 296 RAND Europe National Profiles third parties or the recording on physical means a non public action of someone else (article 370A(2)). • Using information or the physical means on which such information has been recorded as described above (article 370A(3)). The performance of the aforementioned actions by a telephony service provider or its legal representative or member of its management or its privacy assurance manager or employee or partner, or person that performs private investigations or performs such actions by profession or as habit or aimed at receiving fees for them incurs stricter sanctions (article 370A(4)). When the unfair interception of or intervention to a telephone conversation, as described in article 370A(1) and the using of the information or the physical means on which the information has been recorded, as described in article 370A(3) entail the violation of military or diplomatic secrecy or refer to secret relating to state security or the safety of public utility establishments are punished under articles 146 (with intent) and 147 (by negligence). The aforementioned provisions would apply to any ID theft incidents involving the recording of electronic communications. Prescribed sanction Apart from damages that the victim may receive in a civil proceedings: • Violations of article 370A(1) can be criminally sanctioned with incarceration up to 10 years. The same is the sanction where the culprit records on physical means the contents of a conversation between the culprit and another person without the latter’s express consent. • Violations of article 370A(2) can be criminally sanctioned with incarceration up to 10 years. The same is the sanction where the culprit records on physical means the contents of a conversation between the culprit and another person without the latter’s express consent. • Violations of article 370A(3) can be criminally sanctioned with incarceration up to 10 years. • Violations of article 370A(4) can be criminally sanctioned with incarceration up to 10 years and a fine between 55.000 and up to 200.000 EUR. • Violations of article 146 can be criminally sanctioned with incarceration up to 10 years. • Violations of article 147 can be criminally sanctioned 297 RAND Europe National Profiles with imprisonment up to 3 years. Comments Comment s The confidentiality of communications is protected by article 19 of the Greek Constitution. Relevant are also the provisions of law 2225/1994 [Law 2225/1994 ‘For the protection of free reporting and communication and other provisions, Government Gazette Α΄ 121/20.07.1994 (Νόµος 2225/1994 «Για την προστασία της ελευθερίας της ανταπόκρισης και επικοινωνίας και άλλες διατάξεις»], the provisions of law 3115/2003 [Law 3115/2003 ‘Authority for the Assurance of Information and Communication Privacy and Security’, Government Gazette Α΄47/27.02.2003 (Νόµος 3115/2004 «Αρχή διασφάλισης του απορρήτου των επικοινωνιών»)] and Presidential Decree Nr. 47/2005 ‘Procedures and technical and organisational safeguards for the withdrawal of confidentiality of communications and its assurance’, [Government Gazette Α΄64/10.03.2005 (Προεδρικό διάταγµα 47/2005 «∆ιαδικασίες καθώς και τεχνικές και οργανωτικές εγγυήσεις για την άρση του απορρήτου των επικοινωνιών και για τη διασφάλισή του»130). Relevant are also the provisions of recent law 3674/2008 [Law 3674/2008 ‘Amplification of the institutional framework for the assurance of the secrecy of telephony communication and other provisions, Government Gazette A’136/10.07.2008 (Νόµος 3674/2008 «Ενίσχυση του θεσµικού πλαισίου διασφάλισης του απορρήτου της τηλεφωνικής επικοινωνίας και άλλες διατάξεις»)]. Articles 248-250 of the Greek Penal Code punish the violation of the secrecy of communications by post and telecommunications employees. Fraud Relevant law Penal Code (Ποινικός Κώδικας) Reference Presidential Decree 283/1985, GG A’ 106/31.05.1985, as modified. Main provisions in Fraud in general is punished by Article 386 of the Penal Code. relation to ID theft This article sanctions whoever with the purpose of securing himself or a third party a financial benefit impairs foreign property by persuading someone to commit an act or to refrain from committing an act or to tolerate an act through the intentional misrepresentation of facts as true or through the concealment of the true facts. 130 Available online in Greek at http://www.adae.gr/portal/fileadmin/docs/nomoi/PD47.2005.pdf 298 RAND Europe National Profiles Prescribed sanction Violations of article 386 can be criminally sanctioned with imprisonment of at least 3 months. If the damage caused is particularly big, is sanctioned with imprisonment of at least 2 years. Other relevant provisions Article 1 of Law 1608/1950 (GG A’310/28.12.1950) foresees that when the fraud (Article 386 P.C.) is turned against the State or Public Entity (legal entity of public law) or any other legal entity mentioned explicitly in Article 263A P.C. and the benefit gained or wished to gain by the culprit or the damage caused or definitely threatened is over 15.000 EUR, then the culprit is sentences with incarceration and there are special aggravating circumstances or the object is of especially high value, they can be sentences for life. Forgery with respect to identity (ie, (ie, falsifying identities on a document) Relevant law Penal Code (Ποινικός Κώδικας) Reference Presidential Decree 283/1985, GG A’ 106/31.05.1985, as modified. Main provisions in Forgery is punished by Article 216 and following of the Penal relation to ID theft Code, including particularly: • Art. 216(1): forgery or falsification of a document in order to mislead any other person by using it with regard to event that can have legal consequences. • Art. 216(1): the use of the document by the person who forged or falsified it is considered as aggravating circumstance. • Art. 216(2): the use of a forged or falsified document with full knowledge in order to mislead any other person with regard to event that can have legal consequences. • Art. 216(3)(a): if the culprit (of 216(1) or (2)) intended to yield himself or somebody else of financial benefit by harming a third person or intended to harm another person, if the total benefit or the total damage is over 73.000 EUR, the sanctions are stricter. • Art. 216(3)(b): if the culprit conducts forgeries as a profession or repeatedly and the total benefit or the total damage is over 15.000 EUR, the sanctions are stricter. • Art. 217(1): the forgery, falsification of certificate, proof or other document with the aim to facilitate his direct well being, movement or the social progress or himself or another person 299 RAND Europe National Profiles • Art. 217(1): the with full knowledge use of such aforementioned forged or falsified document. • Art. 217(2): the use of a genuine document for the purposes mentioned in 217(1), which is however issued for another person. Article 243 foresees a crime that can be relevant to identity theft: the crime of omission of identity verification. An employee who is responsible for the issuing or the drafting of public documents, is punished with imprisonment of at least 3 months, if, during the issuing or the drafting of such a document, he fails to verify the identity of the person that is mentioned in the document in the way and under the conditions prescribed in the law. Relevant is also the provision of Article 242 which related to an employee who is responsible for the issuing or the drafting of specific public documents. If he intentionally certified a false incident that can have legal consequences, he can be punished with imprisonment of at least 1 year. Prescribed sanction Other relevant provisions Apart from damages that the victim may receive in a civil proceedings: • Violations of article 216(1) can be criminally sanctioned with imprisonment of at least 3 months. • Violations of article 216(2) can be criminally sanctioned with imprisonment of at least 3 months. • Violations of article 216(3)(a) can be criminally sanctioned with incarceration of at least 10 years, if the total benefit or the total damage is over 73.000 EUR. • Violations of article 216(3)(b) can be criminally sanctioned with incarceration of at least 10 years. • Violations of article 217(1) can be criminally sanctioned with imprisonment of up to 1 year or with financial fine. • Violations of article 217(2) can be criminally sanctioned with imprisonment of up to 1 year or with financial fine. Article 22(1) of law 1599/1986 (GG A’ 75/11.06.1986) punishes the forgery or falsification of an identity card, pursuant to the provisions of Art 216(1) P.C. (ie, imprisonment of at least 3 months). The same paragraph punishes the with full knowledge use of forged or falsified identity card (imprisonment of at least 3 months). Article 22(2) of law 1599/1986 punishes the use of an identity card for the proving of data contained in it knowing that it has been modified (imprisonment of at least 3 months). 300 RAND Europe National Profiles Article 1 of Law 1608/1950 (GG A’310/28.12.1950) foresees that when the forgery or falsification (Article 216 P.C.) is turned against the State or Public Entity (legal entity of public law) or any other legal entity mentioned explicitly in Article 263A P.C. and the benefit gained or wished to gain by the culprit or the damage caused or definitely threatened is over 15.000 EUR, then the culprit is sentences with incarceration and there are special aggravating circumstances or the object is of especially high value, they can be sentences for life. Article 54(7) of Law 2910/2001 (GG A’ 91/02.05.2001) states that whoever unlawfully has in his position or uses a genuine passport or another travel document of another person is punished with imprisonment of at least 3 months and a fine of at least 1.500 EUR. The same is the sanction for any person who has in his possession or makes use of forged passport or other travel document. Article 54(8) of Law 2910/2001 punished the responsible of a travel agency or immigration or anybody else that submits on behalf of a third party supporting documents for the issuing of a travel document with data that do not correspond to the identity of the person, is punished with imprisonment of at least 3 months and fine of 3.000 EUR. The same is the sentence for the person on behalf of which the documents are submitted. Cybercrime - illegal access to information systems (hacking) Relevant law Penal Code (Ποινικός Κώδικας) Reference Presidential Decree 283/1985, GG A’ 106/31.05.1985, as modified. Main provisions in The Greek Penal law contains two provisions that relate to relation to ID theft hacking: Article 370C(2)131 and Article 370B, which punishes the violation of secret computer elements or software. Article 370C(2) punishes the unauthorised access to computer data. • More specifically Article 370C(2) punishes whoever gains access to elements, introduced to a computer or to a computer’s peripheral memory or transmitted through telecommunications systems, provided that these actions have taken place without right, in particular by contravening restrictions or security measures that the 131 Paragraph 1 of Article 370C deals with the unauthorised copying or use of computer software, while paragraphs 2 and 3 deal with the unauthorised access to computer data 301 RAND Europe National Profiles lawful holder had taken. • If the action described in Article 370C(2) refers to the international relations or the security of the State, it is punished according to Article 148 on espionage. Article 370C(3) clarifies that if the perpetrator is in the service of the legal holder of the elements, the action described in Article 370C(2) is only punishable, if it is explicitly forbidden in the internal regulation or in a written decision of the owner or authorised personnel. Article 370C(2), to the extent that it refers to elements transmitted through telecommunications systems, covers also electronic mail, teletext and videotext. Committing an illegal access to information systems with the intent of committing another crime would attract the heavier sentence augmented depending on the circumstances (articles 9498 P.C.). Article 370B punishes the violation of secret computer elements or software. • More specifically Article 370B(1) punishes whoever unlawfully copies, depicts, uses, discloses to another or in any case breaches computer elements or software, which constitute state, scientific or professional secrets or business secrets of the public or the private sector. As secrets are also considered those, that the legal holder thereof treats as such, based on a justified interest, in particular if he has taken measures to prevent third parties from knowing about them. • Article 370B(2): If the perpetrator is in the service of the holder of the elements and if the secret is of particularly high financial value, the action is punished in a stricter way. • Article 370B(3): If the secret is military or diplomatic one or refers to secret relating to state security it is punished under articles 146 (with intent) and 147 (by negligence). This would apply to any ID theft incidents involving the use of false credentials to gain unauthorized access to an information system. Prescribed sanction • Violations of 370C(2) can be criminally sanctioned with imprisonment or up to 3 months or with fine of at least 29 EUR (to 15.000 EUR). 302 RAND Europe National Profiles • Violations of 370C(2) that refer to the international relations or the security of the State can be criminally sanctioned with imprisonment of at least one year. • Violations of 370B(1) can be criminally sanctioned with imprisonment of at least three months • Violations of 370B(2) can be criminally sanctioned with imprisonment of at least one year. • Violations of article 146 can be criminally sanctioned with incarceration up to 10 years. • Violations of article 147 can be criminally sanctioned with imprisonment up to 3 years. Cybercrime – illegal data interference Relevant Relevant law Penal Code (Ποινικός Κώδικας) Reference Presidential Decree 283/1985, GG A’ 106/31.05.1985, as modified. Main provisions in Article 370C(2) can also be used for cases of illegal data relation to ID theft interference (see above ‘Cybercrime - illegal access to information systems (hacking)’). The analysis re. Article 370C(2) applies here mutatis mutandis. To the extent that the perpetrator has the intent to obtain unlawful material benefit via the data interference, Article 386A (fraud with a computer) is applicable, as described in detail below under ‘Cybercrime – computerrelated fraud’. Illegal data interference, such as the deployment of malicious code, can also be punished under Article 381 on property damage (impairment of property). • Article 381 punishes whoever intentionally destroys or harms foreign (wholly or partly) object or in any other way renders its use impossible. Illegal interference with data that qualify as documents (Article 13c P.C.) can also be protected under Article 222, which punishes whoever, with the intent to harm another person, conceals, damages or destroys a document, of which he is not the owner or the sole owner or on which somebody else has a legal rights to ask for its delivery or its demonstration, according to civil law provisions. However interference with data that can not be protected under the data protection legislation or do not qualify as documents can 303 RAND Europe National Profiles still remain unpunished. Prescribed sanction • Violations of Article 381 can be criminally sanctioned with fines imprisonment of up to 2 years. • Violations of Article 222 can be criminally sanctioned with fines imprisonment of up to 2 years. Cybercrime – computercomputer-related forgery Relevant law Penal Code (Ποινικός Κώδικας) Reference Presidential Decree 283/1985, GG A’ 106/31.05.1985, as modified. Main provisions in Forgery is punished by Article 216 and following of the Penal relation to ID theft Code, as described above (see section ‘Forgery with respect to identity’). The provisions of Article 216 punish the following acts: • Art. 216(1): forgery or falsification of document in order to mislead any other person by using it with regard to event that can have legal consequences. • Art. 216(1): the use of the document by the person who forged or falsified it is considered as aggravating circumstance. • Art. 216(2): the use of a forged or falsified document with full knowledge in order to mislead any other person with regard to event that can have legal consequences. • Art. 216(3)(a): if the culprit (of 216(1) or (2)) intended to yield himself or somebody else of financial benefit by harming a third person or intended to harm another person, if the total benefit or the total damage is over 73.000 EUR, the sanctions are stricter. • Art. 216(3)(b): if the culprit conducts forgeries as a profession or repeatedly and the total benefit or the total damage is over 15.000 EUR, the sanctions are stricter. Article 216 P.C. covers also computer-related forgery. The broadening of the definition of ‘document’ in Article 13(c) P.C.132, allows the use of Article 216 as the basis for computerrelated forgery. More Article 216 was broadened as follows: ‘[…] Document is also any means which is used by a computer or a computer’s peripheral memory, in electronic, magnetic or other 132 The amendment was introduced with Article 2 of law 1805/1988 (GG A’ 199/31.08.1988) 304 RAND Europe National Profiles way, for the recording, storing, producing or reproducing elements, which can not be read directly, as well as any magnetic, electronic or other material on which any information is recorded, or picture, symbol or sound, individually or in combination thereof, provided these means and materials are destined or are appropriate to prove facts that have a significance in law.’ So Article 216 covers all kinds of ‘electronic documents’, such as CDs, magnetic tapes, cassettes, etc. For the application of Article 216 it is not important the way of ‘writing’ of the forged documents, if this was done by hand, typewriter, personal computer or any other means. Prescribed sanction As already mentioned under section ‘Forgery with respect to identity’, the following sanctions relate with Article 216: • Violations of article 216(1) can be criminally sanctioned with imprisonment of at least 3 months. • Violations of article 216(2) can be criminally sanctioned with imprisonment of at least 3 months. • Violations of article 216(3)(a) can be criminally sanctioned with incarceration of at least 10 years, if the total benefit or the total damage is over 73.000 EUR. • Violations of article 216(3)(b) can be criminally sanctioned with incarceration of at least 10 years. 305 RAND Europe National Profiles Cybercrime – computercomputer-related fraud Relevant law Penal Code (Ποινικός Κώδικας) Reference Presidential Decree 283/1985, GG A’ 106/31.05.1985, as modified. Main provisions in Article 386A punishes fraud with a computer. More specifically relation to ID theft Article 386A punishes whoever, with the intent of obtaining for himself or for a third person an unlawful material benefit, damages the assets of another, by affecting the elements of a computer either through incorrect configuration of a program or interference in the operation of a program or use of incorrect or incomplete data or in any other way. Under article 187 the perpetrator who establishes a group of three or more persons with the intention of committing more than one offence, among which the offence of 386A (fraud with a computer) shall be punished with imprisonment of up to 10 years. This would apply to, for example, any ID theft incidents involving the modification of information systems in order to obtain usernames/passwords (eg, phishing) with the intent to gain material benefit. The Supreme Court (Άρειος Πάγος) in its decision 1277/1998 clarified that Article 386 A (Fraud with a computer) is a ‘different crime’ to the one of Article 386 (Fraud). Prescribed sanction Violations of article 386A can be criminally sanctioned with imprisonment of at least 3 months. If the damage caused is particularly big, is sanctioned with imprisonment of at least 2 years. Application in practice Claiming a false identity onon-line (eg, (eg, creating an account on a social networking site such as Facebook under someone else’s else’s name) Applicable law(s) Such an incident would likely involve: - violation of data protection laws, since personal data of the victim would likely be unlawfully processed to make the false identity believable (eg, publication of the victim's name, address, photo, etc.); - violation of communication secrecy laws, if the false profile results in messages being sent to the false profile which were intended for the real recipient; - forgery and/or computer-related forgery, if the forgery changed 306 RAND Europe National Profiles the legal impact of the information; - fraud and/or computer-related fraud, if the false identity was used to unlawfully appropriate property. Case law available? The Thessaloniki One Member Court of First Instance (Μονοµελές Πρωτοδικείο Θεσσαλονίκης) in the context of an injunction application recently dealt with a case relating to the posting on Facebook of data without the permission or the consent of the person concerned (Decision 16790/2009). The defendant created a Facebook account under a fake name and posted defamatory information about and documents of the plaintiff. This act was considered as unlawful processing of personal data and violation of the personality of the defendant. The decision is published at Law Journal Media and Communication Law (∆ΙΜΕΕ 2009/400). However it should be noted that the decision on the case is not final yet. Unlawfully using another person’s credentials (eg, (eg, using someone else’s username or password to send emails emails in his/her name) Applicable law(s) Most of the qualifications above could apply, depending on how the credentials were used: - violation of the data protection act, since the credentials are likely to be considered personal data which is being unlawfully processed; - violation of communication secrecy laws, if use of the credentials can be qualified as unlawful access to data related to electronic communication (eg, to make bank transfers); - fraud and/or computer-related fraud, if falsified messages were sent to unlawfully appropriate property; - illegal access to information systems, if the credentials were used to access a system without authorisation. Case law available? Several cases are known, specifically in relation to using a third party’s stolen credit/debit card. The Greek Courts have treated in different ways the use of credit/debit cards. The Athens Court of Appeals (Εφετείο Αθηνών) in its decision 1904/1991 considered the use of a cashcard and its secret code as theft, without even considering the crime of fraud with a computer (386A P.C.). The Military Court of Athens (∆ιαρκές Στρατοδικείο Αθηνών) (2897/1994) also considered this action as theft. However the Piraeus (Ναυτοδικείο Πειραιώς) in its decision 418/1996 considered the use of the bank card of another person as fraud with a computer, constituting the crime of 386A P.C. 307 RAND Europe National Profiles The Three Member Criminal Court of Athens (Τριµελές Πληµµελειοδικείο Αθηνών) ruled in its decision 3668/2006 that the two defendants that had intervened into the computer system of a bank and transferred an amount of money from the bank account of a foreign citizen to their bank account were to be impeached for the offences of Fraud with a computer (Article 386A P.C.) and for violations of the data protection law. Phishing (using emails emails and/or falsified websites to trick users into giving up identity information, eg, to collect enough information information to log on to someone else’s bank account) Applicable law(s) The act of phishing itself (independent from what the perpetrator would do with the stolen information) would likely be: - a violation of the data protection act, since the credentials are likely to be considered personal data which is being unlawfully processed; - violation of communication secrecy laws, if the collection of the credentials can be qualified as unlawful access to data related to electronic communication; - fraud and/or computer-related fraud, if falsified messages were sent to unlawfully appropriate property; - illegal data interference, if the act of phishing involved entering, changing or deleting information in an information system without authorisation (eg, in order to falsify a website). Case law available? No known case law. Using spyware to obtain identity information (eg, (eg, installing a computer programme that records which usernames and passwords are used and communicates these to a hacker) Applicable law(s) The act of using the spyware itself (independent from what the perpetrator would do with the stolen information) would likely be: - a violation of the data protection act, since the credentials are likely to be considered personal data which is being unlawfully processed; - violation of communication secrecy laws, if the collection of the credentials can be qualified as unlawful access to data related to electronic communication; - illegal access to information systems, since installing the 308 RAND Europe National Profiles spyware is likely a violation of access rights; - illegal data interference, since installing the spyware likely involves installing software on the victim’s information system without authorisation. Case law available? The Supreme Court (Άρειος Πάγος) in its decision 243/2009 dealt in the context of decision on the extradition of person to the U.S. with an interesting case. The defendant was member of a multinational Internet criminal business of dealing with stolen credit card numbers and other personal identification codes (among which passwords) via the Internet. More specifically the defendant was intercepting, via a computer and in a way the details of which were technically unknown, during the transactions of others on the Internet their credit card numbers, codes and the details of their identity cards. He was then selling them for a fee to third parties via the Internet. The Court expressed the thought that when a computer is used as the medium for the deception of third parties, while no intervention on the configuration of the program or its application takes place, then the crime committed is Fraud (386 P.C.) and not Fraud with a computer (386A P.C.). Using falsified identity documents (identity cards, social security cards or passports) passports) to unlawfully apply for social benefits Applicable law(s) The act of using falsified identity documents to unlawfully apply for social benefits would likely be: - a violation of data protection laws, since the stolen information enabling to apply for social benefits are likely to be considered personal data which are being unlawfully processed; - forgeries related to identity documents, frauds related to incomplete or false statement in order to obtain social benefits, fraudulent procurement of false official certification and possibly a fraudulent public use of a third party's name; - illegal access to information systems, since installing the spyware is likely a violation of access rights; - illegal data interference, since installing the spyware likely involves installing software on the victim’s information system. Case law available? In decision 887/2008, the Supreme Court ( ) ruled in a case in which a citizen managed to deceive the authorities with regard to her date of birth in order to receive pension from the Social Insurance Institute ( µ – ) under the early retirement status. 309 RAND Europe National Profiles The District Court of Amarousion ( ) in its recent decision 1015/2010 dealt with the issue of identity theft relating it to the protection of personal data. By using the identity card of another person, someone managed to conclude a contract with a mobile telephony operator. According to the Court Decision, the conclusion of the contract for mobile telephony services by a person that was not the owner of the identity data submitted raises liability issues of the mobile telephony provider who accepted the data without verifying the signature on the identity card with the one put on the contract. Although this is a preliminary ruling in which the court request additional evidences, it is the first time that the legal framework on data protection in electronic communications is accepted in identity theft cases. More specifically the court makes reference to both the Greek data protection law (2472/1997) and the Law 3471/2006 on the protection of personal data and privacy in the electronic telecommunications sector. Trafficking in unlawfully obtained personal information (eg, (eg, selling databases of email addresses to email email marketeers) Applicable law(s) The act of trafficking in unlawfully obtained information would likely be: - a violation of the data protection act, since the personal information would be unlawfully processed; - a violation of communication secrecy laws, if the personal information contained data related to electronic communication (like email addresses, IP addresses, etc.). Case law available? In 2003 the Supreme Court (Άρειος Πάγος) in decision 121/2003 dealt with a case in which perpetrators, acting together and with common intent, copied onto diskettes the list of clients from the victim’s computer with the intention of using the clientele in a competitive travel agency that the perpetrators established following the departure of one of the perpetrators. The Supreme Court held that an offence was committed under Article 370B P.C. (violation of secret computer elements or software). ID theft reporting mechanisms Saferinternet.gr (& SafeLine) 310 RAND Europe National Profiles Saferinternet.gr (www.saferinternet.gr) is the awareness-raising and information website of the Greek Awareness Centre. It is an awareness raising initiative for safer Internet under the auspices of the Hellenic Ministry of Economy and Finance/Special Secretariat of information society in cooperation with various private and public market players. Saferinternet.gr serves as an information portal for the reporting of Internet-based crimes, but focuses also among others on identity theft (http://www.saferinternet.gr/index.php?objId=Category27&parentobjId=Page2). For the reporting of violations (including identity theft incidents) Saferinternet.gr makes use of the hotline SafeLine (http://www.safeline.gr/), which is one the further axes of Saferinternet.gr. Although SafeLine focuses mainly on illegal Internet content, it is also used as the reporting mechanism for any Internet-based crime, including identity theft. Most of the information on Saferinternet.gr is only available in Greek, with only general information in English. However SafeLine is available both in Greek and in English. SafeLine acts in practice as a single contact point, through which Internet-based crime incidents (eg, phishing) can be reported. Citizens are given four possibilities for reporting a crime: (a) On-line by filling in an online reporting form (available at http://www.safeline.gr/report/index.php); (b) by post; (c) by email sent to [email protected] or (d) by phone. A hotline is available on working days between 9:00 to 16:00. The On-line reporting be realised via standardised forms, with interfaces being available both in Greek and English. Anonymous reports are possible; only the source where the crime was observed is mandatory (a URL, newsgroup and Message ID, file link for P2P networks, …). The citizen is also required to define the broad category to which the crime belongs (personal data violation, communication privacy breach, Internet fraud, …). SafeLine recently installed a new service, which allows the reporting of cases via the sending of a simple to 54260. All reports submitted via the site are forwarded to the Greek Police, regardless of the originating country of the reported content. More specifically, SafeLine works in close cooperation with the Computer Crime Unit (CCU, http://www.astynomia.gr/index.php?option=ozo_content&perform=view&id=1763&Item id=378&lang), which is responsible for the investigation of Internet-related crime. If the reported content originates from abroad, SafeLine forwards also the report to a hotline in the country of origin (if one exists). ADAE ADAE (www.adae.gr) is the Hellenic Authority for the Information and Communication Security and Privacy and is an independent administrative authority. Its goal is to protect the secrecy of mailing, the free correspondence or communication in any possible way as well as the security of networks and information. ADAE is responsible for several ID theft crimes, such as in the cases of email interception, illegal access to mail server for the interception of emails etc. Citizens can file a complaint at ADAE by post, by fax, or in person at the premises of ADAE every day between 10.00 and 12.00. They can also file a complaint online via a standardised form, which is only available in Greek. 311 RAND Europe National Profiles DPA When ID theft relates the processing of personal data, the citizen can file a complaint with the Greek Data Protection Authority (www.dpa.gr). The citizen can fill in the Word form, which is available for download at http://www.dpa.gr/pls/portal/url/ITEM/43E2FA7E94C3AE2FE040A8C07D245B6F (only in Greek), and has to send it to the DPA by post, fax, email or bring it in person every day between 9.00 and 13.00. Other sites Apart from SafeLine (part of Saferinternet.gr), and the possibility to file a complaint with ADAE or the Greek DPA, several other sites play a mainly informative role with respect to ID theft, including notably: d.a.r.t. (Digital Awareness and Response to Threats, www.dart.gov.gr) is a group that aims at the information of the citizens, the prevention and the dealing with dangers that relate with the information and electronic communications technologies. d.a.r.t has a dedicated page on spam and phishing, as well as on viruses/worms/Trojans/spyware and on ‘electronic’ fraud. The information is available in Greek. The special secretariat of information society created the website: http://www.1020.gr/, which is part of the Digital Greece project (http://www.psifiakiellada.gr/). On the website there is a lot of information on the protection of Internet users and the secure use of the Internet. However it seems that this website has stopped being updated. The Hellenic Bank Association has set the protection of the citizens as one of its main priorities. Therefore most Greek banks provide significant information to the citizens on how they can protect themselves from identity theft (among other cases), focusing especially on phishing. Emporiki Bank for instance provides a link to the Anti-Phishing Working Group (www.antiphishing.org), which is available in English. Personal assessment of the framework for combating ID theft Greece has still not ratified the Council of Europe Convention on Cybercrime (185). Similarly it has not transposed the EU Council Framework Decision 2005/222/JHA of 24 February 2005 on attacks against information systems into the Greek legal system. However the aforementioned analysis shows that most of the ID theft cases can be covered under the current legislation. Especially crimes that relate to a computer are punishable in the Greek Penal Code, offering sufficient legal protection. However the wording of Articles 370C(2) and 386A is not broad enough to cover all kinds of crimes relating to the integrity of computers and data. Therefore the broadening of the scope of Article 370C(2) and maybe also the decoupling of fraud with a computer (386A) from the crime of fraud (386) will be enough for offering a solution to this problem. With regard to data interference, a new provision punishing any kind of data interference will offer protection to cases that may remain now 312 RAND Europe National Profiles uncovered by the existing legal provisions; especially when the data do not qualify as personal data or as document. The use of SafeLine as the primary portal for reporting ID theft incidents cannot be considered as sufficient, as actually SafeLine aims at the protection of citizens and mainly minors against illegal and harmful content. The expansion of the activities of SafeLine in practice and their good cooperation with the police authorities has significantly contributed to the protection of victims of ID theft. The investigation of incidents remains complicated in practice, especially in cross border cases. Even when clear evidence of an ID theft incident can be found (eg, a fake profile on a social networking website through which false information is being spread), it can often prove difficult to convince the website operators to take the offending information off-line, and even harder to obtain information from the operator that would make it possible for local judicial authorities to investigate the crime further (eg, IP addresses or mail addresses used by the offender). In practice, this appears to be the main challenge to combating ID theft incidents. 313 RAND Europe National Profiles Hungary Applicable laws Laws focusing explicitly on ID theft ID theft is not a specific crime under Hungarian legislation. While some elements related to identity theft, such as personal data abuse, illegal access to computer systems or communications networks are covered by specific acts, these behaviours are punishable under the Criminal Code as well as fraud and forgery. The preparation of the bill on IT Security was finished in 2009133. The bill gives the definition of ID theft and botnet, and if it will be enacted timely these crimes should be sanctioned by the (amended version of the) Criminal Code from January 1, 2011. Other laws that may apply to ID theft incidents The amendment of the Criminal Code coming into force on August 9, 2009 has changed Article 177 and 300 related to criminal misuse of personal data and computer-related crimes, and therefore any person who is engaged in the unauthorized and inappropriate processing of personal data shall be punished134. The new Civil Code (the Act CXX. of 2009), in the event of privacy violations, such as the right of personal data protection, introduces the eligibility for an offence prize in the system of sanctions. The judgement of an offence prize can be requested from the court without the loss or damage being demonstrated (this applies to privacy rights violations that occurred after May 1, 2010). Data protection laws Relevant law Act LXIII of 1992 on the Protection of Personal Data and the Disclosure of Information of Public Interest (1992. évi LXIII. törvény a személyes adatok védelméről és a közérdekű adatok nyilvánosságáról – Avtv). Avtv Reference See http://www.complex.hu/jr/gen/hjegy_doc.cgi?docid=99200063. 133 The author, as the then head of department of the former Ministry of Informatics and Communications initiated it in 2005 134 Earlier the person who had been engaged in the unauthorized and inappropriate processing of personal data had only been punishable, if an act caused significant injury of interests – and this fact was very difficult to prove 314 RAND Europe National Profiles TV (the always operative version) or in English http://abiweb.obh.hu/dpc/index.php?menu=gyoker/relevant/nati onal/1992_LXIII Main provisions in As under the Data Protection Directive 95/46/EC, ID theft relation to ID theft incidents will typically constitute unlawful processing, as it will violate legitimacy requirements (article 3), proportionality obligations and the purpose restriction (article 5), transparency obligations (article 6), fair and lawful procession (article 7), security obligations (article 10) and formal obligations such as the prior notification to the Data Protection Commissioner (article 28). Prescribed sanction Apart from damages that the victim may receive in a civil proceedings according to Act IV of 1978 on the Criminal Code the violations of privacy may be sanctioned according to the following provisions135: Article 177 (1): any person who reveals any private secret he/she has obtained in a professional or official capacity without due cause is guilty of a misdemeanour punishable with a fine; (2): the punishment shall be imprisonment for up to one year, community service work, or a fine, if the crime results in a significant injury of interest. In case of Misuse of Personal Data: Article 177/A (1) Any person who, for unlawful financial gain or advantage or who imposes significant injury to the interests of another person or persons in violation of the statutory provisions governing the protection and processing of personal data: a) is engaged in the unauthorized and inappropriate processing of personal data; 135 In case of infringement of his rights the data subject, or the person specified in paragraph (4) of Article 16/A, of Avtv may institute civil court proceedings against the data controller. The court shall hear the case out of turn (article 17). The data controller shall be liable for any damage suffered by data subjects as a result of an unlawful processing of their data or as a result of an infringement of the technical requirements of data protection. The data controller shall also be liable for any damage suffered by the data subject resulting from the actions of a technical data processor (article 18) 315 RAND Europe National Profiles b) fails to take measures to ensure the security of data; is guilty of a misdemeanour punishable by imprisonment for up to one year, community service, or a fine136. Communications secrecy laws – existence and technical technical aspects of electronic communication Relevant law Act C of 2003 on electronic communications (2003. évi C. törvény az elektronikus hírközlésről - Eht.). Eht. Reference See http://www.complex.hu/jr/gen/hjegy_doc.cgi?docid=A0300100.T V (the applicable version) or in English http://www.nhh.hu/dokumentum.php?cid=10617 Main provisions in The relevant rules concerning security and ID theft are the relation to ID theft followings: Article 68 (3): in the course of its market surveillance activities the National Communications Authority may apply sanctions in the following cases of infringements: a) non-compliance with electronic communications regulations, notifications of service providers, standard contract conditions; d) failure to comply with any notification requirement; e) failure to comply or inadequate compliance with disclosure obligations137. 136 Furthermore: (2) Any person shall be punished according to paragraph 1, who does not satisfy her/his obligation of information, violating the statutory provisions governing the protection and processing of personal data and with thus significantly hurts the interests of somebody else or others; (3) The misdemeanour punishable with imprisonment for up to two years, community service work, or a fine, if the misuse of personal data is committed with special personal data; (4) The punishment for felony shall be imprisonment for up to three years if it is committed by a public official or in the course of discharging a public duty 137 Article 74(1) sets forth that any natural or legal or unincorporated organization shall be entitled to operate in the Republic of Hungary an electronic communications network and to provide services through an electronic communications network subject to compliance with the conditions laid down in this Act and in specific other legislation. According to Article 76(1) providers of electronic communications services shall notify the Authority for the purpose of registration of their intention to provide electronic communications services, indicating the proposed date of commencement. Article 80(3) about the electronic communications equipment prescribes that the radio equipment or electronic communications terminal equipment shall be so constructed so that: it incorporates safeguards to ensure that the personal data and privacy of the user and of the subscriber are protected; it supports certain features ensuring avoidance of fraud; and the conformity shall be certified (paragraph 4). Article 83 paragraph (1) requires that providers of electronic communications services, within the framework of cooperation relating to the operation of public electronic communications 316 RAND Europe National Profiles Articles 154-156: about the protection of personal data by service providers, regulating their rights and obligations: Article 155.1: service providers shall take appropriate technical and organizational measures - jointly with other service providers if necessary - in order to block any unauthorized attempt to intercept, store or monitor communications transmitted and any related traffic data and to prevent any unauthorized or accidental access to communications transmitted and any related traffic data (privacy of communications). Article 156.1: service providers shall take appropriate technical and organizational measures - jointly with other service providers if necessary - in order to safeguard security of their services. Article 156.3: in case of a particular risk of a breach of the security of services in spite of the technical and organizational measures taken, the service provider must inform the subscribers concerning such risk and the measures the subscribers may take to enhance the level of protection138. Prescribed sanction The infringements of the communications secrecy may be sanctioned by articles 5 and 80-84 of the Civil Code (latter articles of Act IV of 1959 are superseded in May 2010). Article 33 of the Eht. prescribes the penalties assessed by the National Communications Authority. According to paragraph 2 the maximum amount of the penalty is set at (according to the relevant case): a) 0.25 per cent of the perpetrator's revenues; or b) five times the net purchase price of any electronic communications equipment that was placed on the market illegally. (3) The Authority - in the cases not mentioned immediately above - may impose a penalty of 0.05 per cent of the revenues, or minimum 100,000 forints139 (about 380 EUR). networks and the interconnection of and access to these networks shall ensure the safety of public electronic communications networks by the protection against unauthorized access 138 It should be mentioned that the Government Decree 229/2008. (IX. 12.) Korm138 on the requirements related to the quality of electronic communications services in relation to the protection of consumers points out under Article 8 § 6 that the electronic communications network shall be considered protected if the service provider ensures, by physical and administrative measures, that unauthorised access to the electronic communications network, the electronic communications service or information provided by subscribers should be viable exclusively under especially difficult conditions – hence especially in a manner entailing visible damage or through other conspicuous means, or by using illicit means or methods 139 The exchange rate for 1 Euro was about 265 Forints at the time of the completing of the national report 317 RAND Europe National Profiles (5) Additionally, the Authority may impose a penalty of between 50,000 and 3 million forints, and must impose the penalty for repeat offense committed by the executive officer of the offender organization. Communications secrecy laws – contents of electronic communication Relevant law Criminal Code (1978. évi IV. törvény a Büntető Törvénykönyvről – Btk.). Btk Reference Reference See http://www.complex.hu/jr/gen/hjegy_doc.cgi?docid=97800004. TV×hift=0 or some of the relevant articles in English: http://abiweb.obh.hu/dpc/index.php?menu=gyoker/relevant/nati onal/1978_IV Main provisions in Article 178. Violation of the Privacy of Correspondence: any relation to ID theft person who opens or obtains a sealed parcel containing a communication which belongs to another person for the purpose of gaining knowledge of the contents thereof, or conveys such to an unauthorized person for this purpose, as well as any person who taps a correspondence forwarded through telecommunications equipment is guilty of a misdemeanour. Article 178/A. Illicit Possession of Private Information: any person who, for the illicit possession of private information: […] d) captures correspondence forwarded by means of communications equipment or computer network to another person and records the contents of such by technical means is guilty of a felony. Prescribed sanction Apart from damages that the victim may receive in a civil proceedings, violations of article 178 can be criminally sanctioned with fines, if such act does not result in a more serious criminal act. The punishment shall be imprisonment for up to one year, community service work, or a fine, if the crime is committed in a professional or official capacity. The punishment shall be imprisonment for up to two years, if the crime results in a significant injury of interest. Violation of article 178/A is a felony punishable by imprisonment for up to five years. The punishment shall be imprisonment between two to eight years, if the act of crime is committed: a) by feigning official action; 318 RAND Europe National Profiles b) in a pattern of business operation; c) as part of criminal conspiracy; d) causing significant injury of interests. Fraud Relevant law Criminal Code (1978. évi IV. törvény a Büntető Törvénykönyvről – Btk). Reference See http://www.complex.hu/jr/gen/hjegy_doc.cgi?docid=97800004.T V×hift=0 Main provisions in Fraud in general is punished by Article 318 of the Criminal Code. relation to ID theft This article sanctions any act of using deception (including use of false names or titles, or any other type of deceptive manipulation or abuse of good faith or credulity) with the view of obtaining unlawful financial gain or advantage and if it causes damage with the deception. This would apply to any ID theft incidents involving the use of a falsified identity to appropriate property. Prescribed sanction Apart from damages that the victim may receive in a civil proceedings, violations of article 318 can be criminally sanctioned according the followings: - paragraph (2): the punishment because of misdemeanour if the fraud causes petty damage shall be imprisonment for up to two years, community service or a fine, or if the fraud causing the damage not exceeding the value limit of minor offence is committed as part of criminal conspiracy, in case of emergency or in a pattern of business operation; Furthermore the punishment will be for up to three years, between one to five years, between two to eight years or between five to ten years if, respectively, the fraud causes greater damage, significant damage, particularly great damage or particularly significant damage. Forgery with respect to identity (ie, (ie, falsifying identities on a document) Relevant law Criminal Code (1978. évi IV. törvény a Büntető Törvénykönyvről – Btk). Btk Reference See http://www.complex.hu/jr/gen/hjegy_doc.cgi?docid=97800004.TV ×hift=0 Main provisions in Forgery with respect to identity is punished under Title III of the 319 RAND Europe relation to ID theft National Profiles Criminal Code, by Article 274, 275, 276, 277. Document forgery: Article 274 - paragraph (1): a person who: a) prepares a false document or falsifies the content of a document; b) uses a false or falsified document or document of any other person; c) collaborates in the preparation of a document containing untrue data concerning the existence, changing or ceasing of a right or an obligation, is guilty. - paragraph (2) and (3) sanction a person who commits a preparation of document forgery and the forgery of a document on the manner defined in sections a) or b) of paragraph (1). Article 275, paragraph (1): a public officer abusing his competence: a) makes a false document or falsifies the content of a document, b) sets an essential fact in a document falsely is guilty of felony. Forgery of private agreements: Article 276, paragraph (1): a person who uses private agreement with a false, forged or untrue content for proving the existence, changing or ceasing of a right or an obligation, is guilty. Abuse with a document Article 277 paragraph (1) and (2): a person who unlawfully obtains a document without the consent of the owner, or crushes, damages, or conceals the document which is not or not exclusively his own (also onto a private agreement to obtain unlawful preference or to cause unlawful disadvantage) is guilty of misdemeanour. Prescribed sanction Apart from damages that the victim may receive in a civil proceedings: • Violations of article 274 can be criminally sanctioned in § (1) with imprisonment for a term not extending three years. In § (2) by imprisonment for up to one year, community service work, or a fine. In § (3) with a fine. • Violations of article 275 can be criminally sanctioned with imprisonment for up to five years. • Violations of article 276 can be criminally sanctioned with imprisonment for a term not extending a year, community service work, or a fine. 320 RAND Europe National Profiles • Violations of article 277 can be criminally sanctioned in § (1) with imprisonment for up to two years, community service work, or a fine. In § (2) with imprisonment for a term not extending a year, community service work, or a fine. Cybercrime - illegal access to information systems (hacking) Relevant law Criminal Code (1978. évi IV. törvény a Büntető Törvénykönyvről – Btk). Btk Reference See http://www.complex.hu/jr/gen/hjegy_doc.cgi?docid=97800004.TV ×hift=0 or some of the relevant articles in English (not updated): http://abiweb.obh.hu/dpc/index.php?menu=gyoker/relevant/national /1978_IV Main provisions in Illegal access to information systems is punished by Article 300/C of relation to ID theft the Criminal Code, including particularly paragraph (1): any person who gains unauthorized entry to an information system by compromising or defrauding the integrity of the computer protection system or device, or overrides or infringes his user privileges, is guilty of misdemeanour. This would apply to any ID theft incidents involving the use of false credentials to gain unauthorized access to an information system, or to steal credentials from such a system. Prescribed sanction Apart from damages that the victim may receive in a civil proceedings, violations of § 1 can be criminally sanctioned with imprisonment for up to one year, community service work, or a fine. Cybercrime – illegal data interference Relevant law Criminal Code (1978. évi IV. törvény a Büntető Törvénykönyvről – Btk). Btk Reference See http://www.complex.hu/jr/gen/hjegy_doc.cgi?docid=97800004.TV&ti meshift=0 or some of the relevant articles in English: http://abiweb.obh.hu/dpc/index.php?menu=gyoker/relevant/national/1 978_IV Main provisions in Illegal data interference is punished by Article 300/C of the Criminal relation to ID theft Code, including particularly paragraph (2): any person who: 321 RAND Europe National Profiles a) without permission alters, damages or deletes data stored, processed or transmitted in an information system or denies access to the legitimate users; b) without permission adds, transmits, alters, damages, deletes any data, or uses any other means to disrupt use of the information system is guilty of misdemeanour. This would apply to any ID theft incidents involving the falsifying of identity information stored, transmitted, etc. in an information system. Prescribed sanction Apart from damages that the victim may receive in a civil proceedings, violations of § 2 can be criminally sanctioned with imprisonment for up to two years, community service work or a fine. Cybercrime – computercomputer-related forgery Relevant law Criminal Code (1978. évi IV. törvény a Büntető Törvénykönyvről – Btk). Btk Reference See http://www.complex.hu/jr/gen/hjegy_doc.cgi?docid=97800004.TV&ti meshift=0 Main provisions in Computer-related forgery is not a specific crime in the Hungarian relation to ID theft Criminal Code. Article 300/E on the evasion of the technical measure providing the protection of information systems can be treated as such, however it relates to any other computer crimes as well. Article 300/E includes : Paragraph 1: a person who aims to commit a particular crime defined in article 300/C, if he/she prepares, obtains or releases, merchandises or gets available on an other mode a computer program, password, entry code which is necessary to or facilitates the crime or prepares data allowing the login into the system is guilty of misdemeanour. Paragraph 2: a person is punishable according to § (1) when he/she is aiming to commit a particular crime defined in article 300/C and puts his economic, technical, organizational knowledge at somebody else disposal for the preparation of a computer program, password, entry code or data allowing the login into the system which is necessary to or facilitates the crime. Prescribed sanction Apart from damages that the victim may receive in a civil proceedings, violations of §1 and §2 shall be criminally sanctioned with imprisonment for up to two years, community service work, or a fine. In some specific situations, a person who reveals her/his activity for the authority, before the authority would have learned of the preparation of a computer program, password, entry code which is necessary to or facilitates the crime or data allowing the login in whole of or in any 322 RAND Europe National Profiles part of the system conveys the prepared thing to the authority, and enables the identification of other person taking part in the preparation, cannot be punished. Cybercrime – computercomputer-related fraud Relevant law Criminal Code (1978. évi IV. törvény a Büntető Törvénykönyvről – Btk). Btk Reference See http://www.complex.hu/jr/gen/hjegy_doc.cgi?docid=97800004.TV&ti meshift=0 or some of the relevant articles in English: http://abiweb.obh.hu/dpc/index.php?menu=gyoker/relevant/national/1 978_IV Main provisions in Computer-related fraud is punished by Article 300/C of the Criminal relation to ID theft Code, including particularly: Paragraph (3): any person who, for unlawful financial gain or advantage, adds, alters, damages or deletes data stored, processed or transmitted in an information system or denies access to the legitimate users, or adds, transmits, alters, damages, deletes data or uses any other means to disrupt the use of the information system, and causes damage with this, is guilty of felony. This would apply to, for example, any ID theft incidents involving the modification of information systems in order to obtain usernames/passwords (eg, phishing). Prescribed Prescribed sanction Apart from damages that the victim may receive in a civil proceedings, violations of paragraph (3) can be criminally sanctioned with imprisonment between one to five years if it causes significant damage; imprisonment between two to eight years if it causes particularly great damage; imprisonment between five to ten years if it causes particularly significant damage. Application in practice Claiming a false identity onon-line (eg, (eg, creating an account on a social networking site such as Facebook Facebook under someone else’s name) Applicable law(s) Such an incident would likely involve: - violation of data protection laws, since personal data of the victim are unlawfully processed imposing significant injury (or after August 9, 2009 for unlawful financial gain or advantage) to make the false identity 323 RAND Europe National Profiles believable (eg, publication of the victim's name, address, photo, etc.) ; - forgery and/or computer-related forgery, if the forgery changed the legal impact of the information; - fraud and/or computer-related fraud, if the false identity was used to unlawfully appropriate property; - harassment, if it caused by the publication of the victim's name, address, photo, etc.; - defamation if the publication of the victim's name, address, photo, etc. is connected with an attack to the honour. Case law available? A case involved the abusive use of photos and private data (address and telephone) of a woman on social websites dedicated to the provision of sexual services. The victim brought a civil action against the websites to the Pest Central District Court. The court divided the process and based the decision on the Act CVIII of 2001 on certain issues of electronic commerce services and information society services. According to the judgement the owner of the website, being an intermediate provider, is not responsible for the content. The Pest Central District Court thus refused the action and the plaintiff should pay legal costs. The Metropolitan Court of Appeal approved the decision in April 2009140. It should be mentioned that in a similar case of falsified online ads (concerning the offer of a car and of sexual services, where the ads contained the nickname and phone number of the victim), the police identified the IP address from where the ads were sent and the City Court of Hatvan had found two defendants guilty in violation of the data protection and in the offence of harassment (the articles 177/A and 180 of the Criminal Code) in 2007. Each defendants was sentenced with a fine of 100.000 forints (about 400 EUR). The Supreme Court approved the decision in December 2008141. Unlawfully using another person’s credentials (eg, (eg, using someone else’s username or password to send emails emails in his/her name) 140 A copy of the decision can be found here: http://www.birosag.hu/resource.aspx?ResourceID=OITHAnonim&OEA=0100-H-PJ-2008-511&K=0; and the appeal http://www.birosag.hu/resource.aspx?ResourceID=OITHAnonim&OEA=2201-H-PJ-2009395&K=0 141 A copy of the decision can be found here: http://www.birosag.hu/resource.aspx?ResourceID=OITHAnonim&OEA=1004-H-BJ-2007-3&K=0 and the appeal: http://www.birosag.hu/resource.aspx?ResourceID=OITHAnonim&OEA=0001-H-BJ-2008-138&K=0 324 RAND Europe Applicable law(s) National Profiles Most of the qualifications above could apply, depending on how the credentials were used: - violation of the data protection act, since the credentials are likely to be considered personal data which are being unlawfully processed imposing significant injury (or after August 9 2009 for unlawful financial gain or advantage); - computer-related crime, if use of the credentials can be qualified as unlawful access to data related to electronic communication (eg, to make bank transfers electronically); - fraud and/or computer-related fraud, if falsified messages were sent to unlawfully appropriate property; - illegal access to information systems, if the credentials were used to access a system without authorisation. Case law available? Yes, however the unknown perpetrators have sent faxes and not emails in the available case law. The Municipal Court in 2007 heard the case of a bank employee who without authorization collected the sleeping account of 7 clients containing large amounts of money from the bank information system. He made snapshots with a digital camera from the displays containing the details of the bank accounts (personal data of the holder, the amount and currency, and secret password, code required for the transfer). The second defendant had opened two bank accounts using lost and falsified ID documents with his own photos but one with the original name and with a falsified name in the other document. Unknown persons started the bank transfers by fax - containing the secret password and code - sent from a foreign country phone number (from a Serbian city) to the Hungarian accounts. The personality of the accomplices was left unknown. The Municipal Court found guilty the first defendant for the crime of fraud (Criminal Code § 318) together with the crime of violation of banking secrecy (Criminal Code § 300 / A) and the offense of forgery of official documents (Criminal Code § 276) and punished him with 5 years imprisonment. The second defendant was found guilty for the crime of continuously committed fraud (Criminal Code § 318) together with the continuously committed crime of forgery of official documents (Criminal Code § 274), therefore the court punished him with 3 years and 6 months imprisonment. In 2008, the Metropolitan Court of Appeal modified the length 325 RAND Europe National Profiles of imprisonment of the first defendant to 4 years, and the length of imprisonment of the second defendant to 2 years and 10 months142. Phishing (using emails emails and/or falsified websites to trick users into giving up identity information, eg, to collect enough information to log on to someone else’s else’s bank account) Applicable law(s) The act of phishing itself (independent from what the perpetrator would do with the stolen information) would likely be: - violation of communication secrecy laws, if the collection of the credentials can be qualified as unlawful access to data related to electronic communication; - fraud and/or computer-related fraud, if falsified messages were sent to unlawfully appropriate property; - illegal data interference, if the act of phishing involved entering, changing or deleting information in an information system without authorisation (eg, in order to falsify a website). Case law available? No known case law. Using falsified identity documents (identity cards, social security cards or passports) to unlawfully apply for social benefits Applicable law(s) The act of using falsified identity document would likely be: - a violation of the data protection act, since the personal data of the document would be unlawfully processed imposing significant injury (or after August 9 2009 for unlawful financial gain or advantage); - forgery or document forgery. Case law available? 142 No known case law. A copy of the decision can be found here: http://www.birosag.hu/resource.aspx?ResourceID=OITHAnonim&OEA=0100-H-BJ-2008-88&K=0 and the appeal http://www.birosag.hu/resource.aspx?ResourceID=OITHAnonim&OEA=2201-H-BJ-2008-159&K=0 326 RAND Europe National Profiles Trafficking in unlawfully obtained personal information (eg, (eg, selling databases of email addresses to email marketeers) Applicable law(s) law(s) The act of trafficking in unlawfully obtained information would likely be a violation of the data protection act, since the personal information would be unlawfully processed imposing significant injury (or after August 9 2009 for unlawful financial gain or advantage). Case law available? No known case law. Apart from these examples, there are no publicly available law cases. It has to be highlighted that143 the abuse of personal data has been included in the Criminal Code since 2003. A total of 18 cases of imprisonment were imposed, and the perpetrators were suspended in 51 cases in the last 5 years period. This figure will increase significantly through the tightening of the Criminal Code after 2009. 2302 denunciations were made because of abusing personal data in 2007 according to the statistics of the General Prosecutor's Office from this the investigation was ceased in 2207 cases in the prosecutorial phase. Much less, 262 denunciations arrived in 2008, but among these 158 investigations ceased, and in 68 cases the denunciation was rejected. The majority of the rejections happened because of the deficiency of the significant injury of interest144. In most cases, the victim could not make a denunciation before August 2009, but many citizens filed complaints at the Commissioner of Data Protection. ID theft reporting mechanisms If action is required the incident shall be reported to the police. This is a general rule covering ID theft or other online-related crime as well. There are some other means of 143 Fraudsters submitted several hundred tax declarations containing refund applications in the amount of roughly 27 million forints with stolen identities of unsuspecting citizens living in different regions of the country. The personal data, tax number were correct in the declarations, however in 243 cases the handwritten signatures differed from the signatures of the concerned tax subjects and there were the same mailing address and the bank account in each case. The Tax Authority made denunciation against unknown persons according to the news dated in June 2008. No law case was found yet In November 2009, bank card information of 145 card holders was stolen by skimming at an ATM in Budapest. The criminals - suspected skilled in IT - installed card reader in the ATM and obtained card information together with the secret PIN code. The criminals forged bank cards with the data and 319 times executed, or attempted to execute various financial transactions. The criminals managed successfully altogether 86 cash withdrawal and caused 6 million forint damages - according to information provided by the Budapest Police Headquarters in February 2010. The ATM prepared video records about the users of the fake cards. The police published the photos and was looking for the perpetrators at the time of the announcement 144 See the article of Dr. Zoltán Kulcsár http://www.adatvedelmiszakerto.hu/2009/08/a-jogellenes-adatkezeleskovetkezmenyei/ 327 RAND Europe National Profiles electronic communication. The police are preparing form sheets in the framework of eGovernment. The system should serve explicitly the administrative cases. The forms should be completed with the general fill out software and would be uploaded on the Client Gate of the Central Governmental Portal145. Central Governmental Portal forwards the files to the e-Cop system of the National Police Headquarters through the Office Gate. The oldest reporting mechanism is the so called Telefontanú Programme; however it was created primarily not for victims. Telefontanú (Phone Evidence) Programme The Telefontanú (Phone Evidence) Programme came into operation at the Crime Prevention and Equality Unit of the National Police Headquarters on January 15 , 2001.146 The idea of the programme arose from the example of the British Crimestoppers in order to help to find criminals and to increase the effectiveness of crime prevention. (The programme – based on similar principles – is successfully applied currently in four European countries: Spain, Great Britain, the Netherlands and Hungary) The program provides for an opportunity for those citizens who have information about already completed or planned crimes, criminals, location of wanted persons, but do not want to go to the police, to reveal their identities to the authority for an appreciable reason. The toll-free number 06-80-555-111 is operated on weekdays. The operators receive the anonymous information and pass it to the law enforcement authorities (eg, among others to the National Criminal Investigation Agency of the National Police Headquarters). About 100.000 notifications were received in recent years: the 35-40 percent of submitted applications to the competent authorities were successfully-closed investigation, arresting of wanted persons and other police measures. MMS format for data communication is possible since June 2005. Photos or records of a crime can be sent to the service office, which forward the information to the measure authorized body. Other sites The crime prevention website of the Hungarian Police can be found at http://www.megelozes.eu/cms/index.php?option=com_frontpage&Itemid=1, with advises about the safe use of Internet. The complaints against misuse may be sent to the web portal electronically, by postal mail or personally. The police shall answer in three days or inform about the responsible authority. The website http://www.internethotline.hu/ contains information for the hotline submission. It offers the opportunity to report the Hungarian illegal or harmful web or 145 https://ugyfelkapu.magyarorszag.hu/szolgaltatasok/dokumentumfeltoltes 146 http://www.police.hu/megelozes/telefontanu/telefontanuprog.html 328 RAND Europe National Profiles other online content. Primarily an online notification form shall be filled out by clicking on the site. Alternatively an email notification ([email protected]) could be sent as well. This is the Hungarian member site of Inhope operated by MATISZ in the framework of the Safer Internet Action Plan. The National Cybersecurity Center147 publishes daily and weekly reports about vulnerabilities, risks and incidents and quarterly a summary and analysis, with other professional papers. It operates the National General Duty Service of Informatics and Communications, an on site 24/7 duty service to handle incidents. The incident reports should be sent to [email protected] in the form of electronic mail. The National Cybersecurity Center co-operates with the High-Tech Crime Prevention Department of the Hungarian National Criminal Investigation Agency (HighTech Crime Prevention Department is in charge of the investigation of computer-related crime). National Cybersecurity Center/PTA Cert-Hungary undertakes training on the secure usage of Internet for the employees of its joined organizations. The website http://www.biztonsagosinternet.hu/ was created for awareness raising and education. Based on the material of the website there are education programs for the primary and secondary schools. PTA Cert-Hungary participated in the summer holiday education programs of the pupils. Other websites to be mentioned are: VirusBuster Kft. offers anti-virus software and other IT security solutions for the Hungarian and international market since 1997. http://www.virusbuster.hu/hu/spam/spam_gyik/spam_jon According to a PPP agreement the publications about spam, malware or Internet fraud of the General Inspectorate for Consumer Protection can be found on a private website www.virushirado.hu/oldal.php?hid=52 . On this website consumers can also find information where to file a complaint about spam. Personal assessment of the framework for combating ID theft The Hungarian Internet penetration rate rose above 52 percent, however it is below the European average, despite significant improvements. The low penetration and the language difficulties for the foreign perpetrators reduce the chances of online crime to some extent. Several news published in the media contributed to the awareness-raising of credit card fraud, spam, phishing. In the latter half of the year some reviews about ID theft are available aiming to provide readers with the most reliable and complete information on how to reduce the risk of becoming a victim. However, really relevant case law concerning 147 http://www.cert-hungary.hu/en 329 RAND Europe National Profiles ID-related crime is hard to find. Since 2006 there are more and more phishing attacks against customers of Hungarian banks as well. The text of emails or the forged websites have fewer translation errors, so they deceive many people. The typically foreign perpetrators have caused significant damage in some cases, but the banks did not disclose the amount and did not report that to the police. As the study of a public prosecutor148 indicates, the effective investigation of phishing attacks is difficult and the evidence of cross-border crime is practically impossible. The same goes for credit card fraudsters, as respectively the data acquired are used in other countries. The legal framework is sufficiently comprehensive in the field of personal data protection and computer crime. The act on electronic communications regulates the functions of the state and the service providers essentially governed by market competition. The act provides for the protection of systems security, however, it does not prohibit any form of unauthorized access by any unauthorized natural or judicial individual which is sanctioned by the Criminal Code at the same time. The preparation of the bill on IT Security in 2009 should be considered positively hoping that it will be soon enacted by the Parliament. 148 The study of Dr. Kökényesi Bárdos Attila can be downloaded from the site of the Pro Iustitia Society: http://www.stop.hu/articles/comment_forum.php?forum_topics_id=183738&database_id=592874&forum_fo rbidden=0&lstresults=1&median_code=11888217376498 330 RAND Europe National Profiles India Applicable laws Laws focusing explicitly on ID theft There is no general ID theft law in India. Furthermore, there is no general data protection law in India. The Constitution of India, ratified in 1950, does not explicitly recognize the right to privacy. However, the Supreme Court first recognized in 1964 149 that there is a right of privacy implicit in Article 21 of the Constitution, which states, ‘No person shall be deprived of his life or personal liberty except according to procedure established by law’.150 Here there is no mention of the word ‘privacy’ instead the term ‘personal liberty’ has been used. The Information Technology Act 2000 (a.k.a IT ACT 2000) 151 was notified on Oct 17, 2000 by the Indian Parliament. An amendment to the 2000 Act was proposed in 2005/2006, it was amended through the Information Technology Act 2008 and was notified by the Indian Parliament on Oct 27, 2009. 152 The amended Act addresses a lot of cyber security, and privacy issues. Section 66C of the amendments mentions about Identity theft: Whoever, fraudulently or dishonestly make use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to rupees one lakh. Other laws that may apply to ID theft incidents The Personal Data Protection Bill, 2006 153 • The aim of the bill is to provide for protection of personal data and information of an individual collected for a particular purpose by one organization, and to prevent its usage by other organization for commercial or other purposes and entitle the individual to claim compensation or damages due to disclosure of personal data or information of any individual without his consent and for matters connected therewith or incidental thereto. • The bill addresses collection, processing and distribution of personal data of both government and private sector. 149 Kharak Singh v State of UP (AIR 1963 SC 1295) 150 Privacy International. Country reports - Republic of India. http://www.privacyinternational.org/survey/phr2000/countrieshp.html#Heading3. Visited 02 Oct 04. 151 https://nicca.nic.in/pdf/itact2000.pdf 152 http://www.cyberlawtimes.com/itact2008.pdf 153 http://www.lawyersclubindia.com/forum/files/8_8_the_personal_data_protection_bill__2006.pdf 331 RAND Europe • • National Profiles Penalty o Whoever contravenes or attempts contravene or abets the contravention of the provisions of this Act shall be punishable with imprisonment for a term, which may extend to three years or with fine, which may extend upto ten lakh rupees penalty. Status of the Bill o This Bill was introduced in the Rajya Sabha (Government of India) on the 8th December 2006. Privacy protection and data protection legislation Please identify any applicable laws that protect privacy or personal data in general. Add one box per relevant law; this may mean that the national profiles contain additional boxes beyond the ones provided below. Data protection laws154 Relevant law IT ACT 2000 and IT ACT 2008 Reference https://nicca.nic.in/pdf/itact2000.pdf; http://www.cyberlawtimes.com/itact2008.pdf Main provisions in Section 43: ID theft incidents will typically constitute unlawful relation to ID theft access to information (Section 43, clause a), introducing virus into victim’s machine (Section 43, clause c), impersonation (Section 43, clause h). Section 66C as mentioned above. Prescribed sanction sanction Convicted criminal ‘shall be liable to pay damages by way of compensation not exceeding one crore rupees to the person so affected.’ Communications secrecy laws155 Relevant law Name and date Reference Publication reference (preferably an on-line link) Main provisions in Identify the relevant articles/paragraphs/sections relation to ID theft Prescribed sanction Punishment provided by the law (imprisonment and/or fines) 154 Specifically transpositions of the Data Protection Directive 95/46/EC ; see http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:NOT 155 Specifically transpositions of the ePrivacy Directive 2002/58/EC ; see http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:EN:HTML 332 RAND Europe National Profiles Criminal law Fraud Relevant law N.A. Reference N.A. Main provisions in N.A. relation relat ion to ID theft Prescribed sanction N.A. Forgery with respect to identity (ie, (ie, falsifying identities on a document) Relevant law N.A. Reference N.A. Main provisions in N.A. relation to ID theft Prescribed sanction N.A. Cybercrime - illegal access access to information systems (hacking) Relevant law IT ACT 2000 and IT ACT 2008 Reference https://nicca.nic.in/pdf/itact2000.pdf; http://www.cyberlawtimes.com/itact2008.pdf Main provisions in Section 70 relation to ID theft Any person who secures access or attempts to secure access to a protected system in contravention of the provisions of this section shall be punished with imprisonment of either description for a term which may extend to ten years and shall also be liable to fine. Prescribed sanction 10 years Cybercrime – illegal data interference156 156 Specifically any modifications to national law under the influence of the Council of Europe Convention on Cybercrime (see http://conventions.coe.int/Treaty/EN/Treaties/Html/185.htm) or the EU Council Framework Decision 2005/222/JHA of 24 February 2005 on attacks against information systems (see http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32005F0222:EN:NOT) 333 RAND Europe National Profiles Relevant law N.A. Reference N.A. Main provisions in N.A. relation to ID theft Prescribed sanction N.A. Cybercrime – computercomputer-related forgery157 Relevant law N.A. Reference N.A. Main provisions in N.A. relation to ID theft Prescribed sanction N.A. Cybercrime – computercomputer-related fraud158 Relevant law N.A. Reference N.A. Main provisions in N.A. relation to ID theft Prescribed sanction N.A. Computer source code crime159 Relevant law IT ACT 2000, IT ACT 2008 Reference https://nicca.nic.in/pdf/itact2000.pdf; http://www.cyberlawtimes.com/itact2008.pdf Main provisions in Section 65 relation to ID theft Whoever knowingly or intentionally conceals, destroys or alters or intentionally or knowingly causes another to conceal, destroy or alter any computer source code used for a computer, computer 157 Specifically any modifications to national law under the influence of the Council of Europe Convention on Cybercrime (see http://conventions.coe.int/Treaty/EN/Treaties/Html/185.htm) 158 Specifically any modifications to national law under the influence of the Council of Europe Convention on Cybercrime (see http://conventions.coe.int/Treaty/EN/Treaties/Html/185.htm) 159 Specifically any modifications to national law under the influence of the Council of Europe Convention on Cybercrime (see http://conventions.coe.int/Treaty/EN/Treaties/Html/185.htm) 334 RAND Europe National Profiles programme, computer system or computer network, when the computer source code is required to be kept or maintained by law for the time being in force, shall be punishable with imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both. Explanation - For the purposes of this section, ‘Computer Source Code’ means the listing of programmes, Computer Commands, Design and layout and programme analysis of computer resource in any form. Prescribed sanction Up to three years, or with fine which may extend up to two lakh rupees, or with both. Sending offensive messages using computers / communication devices Relevant law IT ACT 2000, IT ACT 2008 Reference https://nicca.nic.in/pdf/itact2000.pdf; http://www.cyberlawtimes.com/itact2008.pdf Main provisions in Section 66 A relation to ID theft This covers spam, phishing, etc. Prescribed sanction Shall be punishable with imprisonment for a term which may extend to three years and with fine. Application in practice Claiming a false identity onon-line (eg, (eg, creating an account on a social networking site such as Facebook under someone else’s name) Applicable law(s) IT ACT 2000, IT ACT 2008 Case law available? NO Unlawfully using another person’s credentials (eg, (eg, using someone else’s username or password to send emails emails in his/her name) Applicable law(s) IT ACT 2000, IT ACT 2008 Case law available? The Case of The State of Tamil Nadu Vs Suhas Katti 335 RAND Europe National Profiles From the judgement ‘The accused is found guilty of offences under section 469, 509 IPC and 67 of IT Act 2000 and the accused is convicted and is sentenced for the offence to undergo RI for 2 years under 469 IPC and to pay fine of Rs.500/-and for the offence u/s 509 IPC sentenced to undergo 1 year Simple imprisonment and to pay fine of Rs.500/- and for the offence u/s 67 of IT Act 2000 to undergo RI for 2 years and to pay fine of Rs.4000/- All sentences to run concurrently.’ Phishing Phishing (using emails emails and/or falsified websites to trick users into giving up identity information, eg, to collect enough information to log on to someone else’s bank account) Applicable law(s) N.A. Case law available? N.A. Using falsified identity documents documents (identity cards, social security cards or passports) to unlawfully apply for social benefits Applicable law(s) N.A. Case law available? N.A. eg, selling databases of Trafficking in unlawfully obtained personal information ((eg, email addresses to email marketeers) Applicable law(s) N.A. Case law available? N.A. Trafficking in unlawfully unlawfully obtained pictures and videos (eg, selling pornography) pornography) Applicable law(s) IT ACT 2000, IT ACT 2008 Section 67, Punishment for publishing or transmitting obscene material in electronic form Dr. L Prakash was convicted for manipulating his patients in Case law available? various ways, forcing them to commit sex acts on camera and posting the pictures and videos on the Internet. Fast track court judge R Radha, who convicted all the four in Feb 2008 , also imposed a fine of Rs 1.27 lakh on Prakash, the main accused in the case, and Rs 2,500 each on his three associates Saravanan, Vijayan and Asir Gunasingh. 336 RAND Europe National Profiles Other laws/Acts that one can use in India for Identity theft: Other laws/Acts Relevant law Special Relief Act, 1963 Reference http://districtcourtallahabad.up.nic.in/articles/SRelAct.pdf Main provisions in Section 39 relation to ID theft Temporary and permanent injunctions against unauthorized disclosure of confidential information; award of damages Prescribed sanction Enforced by the courts in India Other laws/Acts Relevant law Indian Penal Code, 1960 Reference http://districtcourtallahabad.up.nic.in/articles/IPC.pdf Main provisions in Criminal complaint for breach of trust can be filed in court by relation to ID theft police or affected party Prescribed sanction Enforced by the courts in India Criminal breach of trust punishable by more than 3 years imprisonment and fine. ID theft reporting mechanisms Indian citizens have many venues to report ID theft: • • • 160 Indian Computer Emergency Response Team (CERT-IN)160 Cyber Crime Investigation Cells across India (eg, http://www.cybercellmumbai.com/ in Mumbai) Cyber Crime police stations; an example in Bangalore http://www.cyberpolicebangalore.nic.in/ www.cert-in.org.in/ 337 RAND Europe National Profiles The caveat is that the reporting mechanisms are not promoted as they should be and therefore, the number of incidents that are reported are far less than the actual ones. Personal assessment of the framework for combating ID theft I think the laws are sufficient enough to cover all incident of ID theft in some form or the other, but the problem I see is the gap between the technologist and lawyers in India. There is very little interaction between these two communities. There is also a dearth of knowledge on the techno-legal aspects of the ID theft issue. One main thing that India needs to look at is capacity building, to train technologist about law and lawyers/investigating officers about technology. Given the plethora of issues and huge population in India, it may not be appropriate to expect quick responses with respect to solving the ID theft problem. Some of these cases take long time and I am certain that there are many cases that are being discussed in the court as this article is written. 338 RAND Europe National Profiles Ireland Applicable laws Laws focusing explicitly on ID theft There is no Irish legislation focusing specifically on ID theft. ID theft incidents would be dealt with through provisions relating to fraud or data protection. No such ID theft laws are currently under consideration by the lawmaker according to the available information. Other laws that may apply to ID theft incidents Data protection laws Relevant law Data Protection Acts 1988: Data Protection (Amendment) Act 2003: Reference Data Protection Acts 1988: http://www.bailii.org/ie/legis/num_act/1988/0025.html and Data Protection (Amendment) Act http://www.bailii.org/ie/legis/num_act/2003/0006.html 2003: Main provisions in ID theft incidents will generally violate the following provisions relation to ID theft of the Acts: Prescribed sanction - Fair obtaining and processing of personal data: s.2(1)(a); - Purpose specification principle: s.2(1)(c); - Security: s.2(1)(d) and s. 2C; - Legitimate processing requirements: ss.2A and 2B; - Registration obligations: s.16. The Act facilitates the bringing of a civil action for breach of its provisions: s.7. Various offences are also provided for, for example, non-compliance with a range of notices issued by the Data Protection Commissioner: ss.10(12), 11(13) and 12(5) and obtaining access to personal data and disclosing it: s.22. The penalties are: o On summary conviction a maximum fine of €1,270; o On conviction on indictment a maximum fine of 339 RAND Europe National Profiles Communications secrecy laws - contents of electronic communications Relevant law Postal & Telecommunications Services Act 1983: s.98 (as amended). Reference Postal & Telecommunications Services Act 1983: http://www.bailii.org/ie/legis/num_act/1983/0024.html#zza24y1983 Main Section 98 of this Act makes it an offence to intercept provisions in telecommunications messages or to discloses the existence, substance or relation to ID purport of any such message which has been intercepted or to use for theft any purpose any information obtained from any such message. While the offence originally only applied to messages being transmitted by the state monopoly telecommunications provider, its application was extended to cover authorised undertakings ie, those authorised by the Commission for Communications Regulation to provide electronic communications networks and services. The offence only applies to messages that are in the course of transmission. There is no definition in the Act of ‘telecommunications message’ but it is likely that it applies to electronic communications. This provision applies to the content of such communications but not to information about the communication. It appears to apply to ID theft incidents involving the recording of electronic communications, provided the communications is being transmitted by an authorised undertaking. Prescribed sanction On summary conviction, a maximum fine of €1016 or a maximum prison term of 12 months or both. On conviction on indictment, a maximum fine of €63,500 or a maximum prison term of 5 years or both €63,500. Fraud Relevant law Criminal Justice (Theft and Fraud Offences) Act 2001. Reference Criminal Justice (Theft and Fraud Offences) Act 2001: http://www.bailii.org/ie/legis/num_act/2001/0050.html Main provisions in Section 6 of the Criminal Justice (Theft and Fraud Offences) Act relation to ID theft 2001 provides that a person who dishonestly, with the intention of making a gain for himself or herself or another, or of causing loss to another, by any deception induces another to do or refrain from doing an act is guilty of an offence. Section 7 of the Act provides that a person who dishonestly, with the intention of making a gain for himself or herself or another, or of causing loss to another, by any deception obtains services from another is guilty of an offence. 340 RAND Europe Prescribed sanction National Profiles These offences are indictable and the penalties are an unlimited fine or a maximum of 5 years imprisonment, or both Forgery with respect to identity (ie, (ie, falsifying identities on a document) Relevant law Criminal Justice (Theft and Fraud Offences) Act 2001. Reference Criminal Justice (Theft and Fraud Offences) Act 2001: http://www.bailii.org/ie/legis/num_act/2001/0050.html Main provisions in Section 24 of the Criminal Justice (Theft and Fraud Offences) relation to ID theft Act provides that a person is guilty of forgery if he or she makes a false instrument with the intention that it shall be used to induce another person to accept it as genuine and, by reason of so accepting it, to do some act, or to make some omission, to the prejudice of that person or some other person. Section 25 of the Act provides that a person who uses an instrument which is, and which he or she knows or believes to be, a false instrument, with the intention of inducing another person to accept it as genuine and, by reason of so accepting it, to do some act, or to make some omission, or to provide some service, to the prejudice of that person or any other person is guilty of an offence. Prescribed sanction These offences are indictable and the penalties are an unlimited fine or a maximum of 10 years imprisonment, or both. Theft Relevant law Criminal Justice (Theft and Fraud Offences) Act 2001. Reference Criminal Justice (Theft and Fraud Offences) Act 2001: http://www.bailii.org/ie/legis/num_act/2001/0050.html Main provisions in Section 4 of the Criminal Justice (Theft and Fraud Offences) Act relation to ID theft 2001 provides that a person is guilty of theft if he or she dishonestly appropriates property without the consent of its owner and with the intention of depriving its owner of it. Property is defined in the Act (s.2) as ‘money and all other property, real or personal, including things in action and other intangible property’. Prescribed sanction A person guilty of theft is liable on conviction on indictment to a fine or imprisonment for a term not exceeding 10 years or both. Cybercrime - illegal access to information systems (hacking) 341 RAND Europe National Profiles Relevant law Criminal Damage Act 1991. Reference Criminal Damage Act 1991: http://www.bailii.org/ie/legis/num_act/1991/0031.html Main provisions in Section 5 (unauthorised accessing of data) of the Criminal relation to ID theft Damage Act 1991 provides that ‘a person, who without lawful theft excuse, operates a computer … shall, whether or not he accesses any data, be guilty of an offence’. This would cover identity theft incidents involving the use of false passwords to gain access to information systems. Prescribed sanction This is a summary offence punishable by a maximum fine of €635 or a maximum prison sentence of 3 months or both. Cybercrime – illegal data interference Relevant law Criminal Damage Act 1991. Reference Criminal Damage Act 1991: http://www.bailii.org/ie/legis/num_act/1991/0031.html Main provisions in Section 2(1) of the Criminal Damage Act makes it an offence, relation to ID theft without lawful excuse, to damage any property belonging to another intending to damage any such property or being reckless as to whether any such property would be damaged. Property is defined to include data which, in turn, is defined as ‘information in a form in which it can be accessed by means of a computer and includes a program’. Damage is broadly defined and includes alteration or erasure of data. Prescribed sanction On summary conviction, a maximum fine of €1270 or a maximum prison term of 12 months or both. On conviction on indictment, a maximum fine of €12,700 or a maximum prison term of 10 years or both Cybercrime – computercomputer-related forgery Relevant law Criminal Justice (Theft and Fraud Offences) Act 2001. Reference Criminal Justice (Theft and Fraud Offences) Act 2001: http://www.bailii.org/ie/legis/num_act/2001/0050.html Main provisions in As noted above, Sections 24 and 25 of the Criminal Justice relation to ID theft (Theft and Fraud Offences) Act deal with forgery and the use of false instruments. Instrument is defined as ‘any document, whether of a formal of informal character’. Document is defined as including ‘(a) a map, plan, graph, drawing, photograph or record, or (b) a reproduction in permanent legible 342 RAND Europe National Profiles form, by a computer or other means (including enlarging), of information in non-legible form’. The definition of instrument goes on to provide a non-exhaustive list of materials which come within the scope of this definition such as ‘any disk, tape, sound track or other device on or in which information is recorded or stored by mechanical, electronic or other means’. Given the breadth of the definition of instrument, it is clear that computer-related forgery is covered by these offences. Prescribed sanction These offences are indictable and the penalties are an unlimited fine or a maximum of 10 years imprisonment, or both. Cybercrime – computercomputer-related fraud Relevant law Criminal Justice (Theft and Fraud Offences) Act 2001. Reference Criminal Justice (Theft and Fraud Offences) Act 2001: http://www.bailii.org/ie/legis/num_act/2001/0050.html Main provisions in Section 9 of the Criminal Justice (Theft and Fraud Offences) Act relation to ID theft provides that a person who dishonestly operates or causes a computer to be operated with the intention of making a gain for himself or herself or another, or of causing a loss to another, is guilty of an offence. Dishonesty is defined as meaning ‘without a claim of right made in good faith’: s. 2. This is a very broad provision which could be used against those who engage in identity theft, provided the necessary intent is proven. Prescribed sanction The offence is indictable and the penalties are an unlimited fine or a maximum of 10 years imprisonment, or both. Application in practice Claiming a false identity onon-line (eg, (eg, creating an account on a social networking site such as Facebook under someone else’s name) name) Applicable law(s) This would be likely to involve: - breach of data protection law, on the basis that it would probably involve unlawful processing of personal data of the victim; - forgery and/or use of a false instrument – on the basis that the false profile could constitute a false instrument. The offence would only arise where it could be shown that the false instrument was made or used with the intention of inducing another person to accept it as genuine and, by reason of so accepting it, to do some act, or to make some omission, or to provide some service, to the prejudice of 343 RAND Europe National Profiles that person or any other person; - fraud. An offence could be committed under s.6 (Making a gain or causing a loss by deception) of the Criminal Justice (Theft and Fraud Offences) Act provided that the perpetrator could be shown to have dishonestly induced another (eg, Facebook) by any deception to do an act (eg, create the account for him or her) and has done so with the intention of making a gain for himself or herself or another, or of causing loss to another. An offence could also be committed under s.7 (Obtaining a service by deception) of the Criminal Justice (Theft and Fraud Offences) Act on the basis that the person claiming the false identity online might also be said to dishonestly obtaining a service by deception provided it can be shown that this was done with the intention of making a gain for himself or herself or another, or of causing loss to another. An offence could also be committed under s.9 (Unlawful use of a computer) of the Criminal Justice (Theft and Fraud Offences) Act on the basis that the creation of the account could be said to involve the dishonest operation of a computer with the intention of making a gain for himself or herself or another, or of causing loss to another. In the case of both s.6 and s.7, evidence of deception is a necessary ingredient of the offence. It is unclear in Irish law as to whether a computer can be deceived and it might be difficult therefore to secure a conviction where the creation of the account does not involve any human intervention. As there is no such requirement in s.9, this offence would be more likely to apply. Case law available? The only legal proceedings to be reported (as a result of a report in The Sunday Times, Irish edition, of February 14, 2010) concerns the bringing of civil proceedings in relation to a false profile on the Bebo social networking site: ‘Biker sues Bebo over false profile’ available at http://www.timesonline.co.uk/tol/news/world/ireland/article7026292. ece Unlawfully using another person’s credentials (eg, (eg, using someone else’s username or password to send emails emails in his/her name) Applicable law(s) Applicable offences would include: - violation of the Data Protection Act on the basis that this would involve unlawful processing of personal data; - offences under the Criminal Justice (Theft and Fraud Offences) Act including: s.6: Making a gain or causing a loss by deception; s.7: Obtaining a service by deception; s.9: 344 RAND Europe National Profiles Unlawful use of a computer. In the case of ss.6 and 7, evidence of deception would be necessary and in each case it would be necessary to show intention to make a gain or cause a loss; - unauthorised accessing of data (s.5, Criminal Damage Act) – assuming the activity involved operating a computer with intent to access data. Case law available? No known case law. Phishing (using emails emails and/or falsified websites to trick users into giving up identity information, eg, to collect enough information to log on to someone else’s bank account) Applicable Applicable law(s) Phishing would involve a violation of the Data Protection Act as it would involve unlawful processing of personal data. Phishing could also involve an offence under s.6 of the Criminal Justice (Theft and Fraud Offences) Act: Making a gain or causing a loss by deception. It could also give rise to an offence under s.9 of the same Act: unlawful use of a computer. Phishing could also result in prosecution for theft under s.4 of the Criminal Justice (Theft and Fraud Offences) Act if the person engaged in the phishing succeeded in appropriating someone’s property as a result of using information gathered through phishing. Case law available? No known case law. Using falsified identity documents (identity cards, social security cards or passports) passports) to unlawfully apply for social benefits Applicable law(s) Section 251 of the Social Welfare (Consolidation) Act 2005 makes it an offence for a person to produce or furnish any document or information for the purpose of obtaining or establishing entitlement to any benefit which he or she knows to be false in a material particular. The penalty on summary conviction is a maximum fine of €1,500 or a maximum prison sentence of 6 months or both. On conviction on indictment, the penalty is a maximum fine of €13,000 or a maximum prison sentence of 3 years or both. Case law available? Though prosecutions for Social Welfare fraud are relatively common: for example, approximately 380 cases were referred to the courts in 2009 (Source: Department of Social and Family Affairs Press Release, December 8, 2009 available at 345 RAND Europe National Profiles Trafficking in unlawfully obtained personal information (eg, (eg, selling databases of email a ddresses to email marketeers) Applicable law(s) This would involve a violation of Data Protection Law on the basis that the personal data would be unlawfully processed Case law available? The Data Protection Commissioner has dealt with an inquiry relating to an offer of the ‘gift’ of a database of names and addresses that had been made to a charity. The charity asked for advice from the Commissioner’s office as to whether they could accept this gift. The Commissioner expressed the view that acceptance of the gift would involve breaches of the fair obtaining and compatible processing requirements of the Data Protection Acts: Case Study No.8 of 1996 available at: http://www.dataprotection.ie/viewdoc.asp?Docid=174&Catid=45 &StartDate=1+January+2008&m=c http://www.welfare.ie/EN/Press/PressReleases/2009/Pages/pr0812 09.aspx) there is no known reported case law. No known case law can be reported relating to electronic or non-electronic identity theft (eg, passport forgery, forgery of driving licence or social security number). However, the following elements should be highlighted: Passports: The definition of ‘instrument’ for the purposes of the offences of forgery and using a false instrument, ss.24 and 25 of the Criminal Justice (Theft and Fraud Offences) Act expressly includes a passport. A newspaper reported on a successful District Court prosecution of a woman for using a false passport from another jurisdiction: ‘Woman fined €650 for forged passport’, Galway Advertiser, March 12, 2009, available at: http://www.advertiser.ie/galway/article/9589 Driving licences Section 115(4) of the Road Traffic Act 1961 makes it an offence to ‘forge or fraudulently alter or use, or fraudulently lend to, or allow to be used by, any other person, any licence’. Forgery of social security number Section 262(9) of the Social Welfare (Consolidation) Act 2005 makes it an offence to use another person’s personal public service number. It is also an offence to use or attempt to use another person’s Public Service Card: s. 263(4). ID theft reporting mechanisms 346 RAND Europe National Profiles No dedicated ID theft reporting mechanisms exist. The hotline.ie service provides a facility for the public to report suspected illegal content encountered on the Internet. It is mainly concerned with material such as child pornography but it appears that it does receive complaints concerning identity theft and phishing. These are said to represent ‘a small proportion http://www.hotline.ie/5threport/documents/Hotline5thRep.pdf of reports’: Personal assessment of the framework for combating ID theft Regarding the issue whether or not the laws are sufficiently flexible to cover all incidents of identity theft, the laws appear to be suitable in terms of covering all incidents of ID theft in Ireland. The Data Protection Commissioner is of the view that ID theft is not a significant issue in Ireland (Source: email from the Commissioner received on 6/4/2010). The Commissioner takes the view one reason for this is the absence of a unique national identity number in widespread use. For what concerns the application and effectiveness of these laws in practice, the main challenges include issues relating to detection and the gathering of evidence. The often cross jurisdictional nature of the problem exacerbates these problems. Regarding the reporting mechanisms and following up of investigation, there is no dedicated ID theft reporting mechanism in place. While such a mechanism could be useful, the establishment of a new reporting mechanism could be a source of confusion to the public. It might therefore be better to run a public information programme making it clear that incidents of identity theft should be reported to the Data Protection Commissioner or, where there is criminal intent, to the police (An Garda Siochána: a specialist unit within the Garda – the Garda Bureau of Fraud Investigation – which focuses on serious fraud has, in conjunction with the finance industry and the Northern Ireland Police Service, issued a guide to fraud prevention which emphasises the importance of protecting one’s identity, available at: http://www.garda.ie/Documents/User/IBF_Fraud_Prevention_Brochure_19102009.p df). The institution of a mechanism for the online reporting of ID theft involving criminal intent via the Garda website could be explored. 347 RAND Europe National Profiles Italy Applicable laws Laws focusing explicitly on ID theft No legislation has been introduced in Italy that focuses explicitly and directly on ID theft as a specific crime, or that defines such crime comprehensively. Currently, ID theft-related crimes, in their various expressions, are contrasted through the general provisions below listed. No such legislation is currently under evaluation or definition. The policy emphasis in on improving awareness of such crime among citizens and on law enforcements bodies. Other laws that may apply to ID theft incidents Privacy and data protection Relevant law Legislative Decree n.196, 30 June 2003 – Code of protection of personal data Reference http://www.garanteprivacy.it/garante/document?ID=1219452 Main provisions relation to ID theft in The Code of protection of personal data, creating a public body to overview the system and to be appealed for civil rights appeal (Garante), regulates proper privacy protection policy and diligence, obligations for data acquisition, storage and treatment, sanctions for breach and violation of the main provisions, mostly: • • • Section 11 – regulates the processing arrangement and data quality, calling for due compliance to standards of transparency and quality in data collection and storage, Section 13 – regulates the standards for information to data subjects, with particular emphasis on the obligatory or voluntary nature of providing the requested data, and the obligations to inform promptly, transparently and directly the purpose and modalities of eventual data dissemination and / or sharing, Section 16 – describing obligations for data storage termination and, in particular, the duty to destroy any personal or professional ID database, especially if related to commercial use. The transfer or acquisition of the database shall be part of a compliant and detailed communication to data subjects, and the 348 RAND Europe National Profiles Prescribed sanction - - - - whole procedure of disclosure, data treatment consensus and treatment shall be re-activated, • Section 20 – Principles applying to the processing of sensitive data: Processing of sensitive data by public bodies shall only be allowed where it is expressly authorised by a law specifying the categories of data that may be processed and the categories of operation that may be performed as well as the substantial public interest pursue. Sensitive data may only be processed with the data subject’s written consent and the Garante’s prior authorisation, by complying with the prerequisites and limitations set out in this Code as well as in laws and regulations. • Section 30 - Processing operations may only be performed by persons in charge of the processing that act under the direct authority of either the data controller or the data processor by complying with the instructions received. termination of processing operations: fine between 10.000 and 60.000 euros. If the breach is made for personal enrichment: between 6 and 18 months imprisonment unlawful personal data treatment: fine between 10.000 and 120.000 euros (50.000 to 300.000 for mass database). If the breach is made for personal enrichment: between 6 and 24 months imprisonment unlawful data dissemination: for personal imprisonment or if the breach causes serious harm to reputation: 1 to 3 years imprisonment unlawful data storage: fine between 10.000 and 50.000 euros (doubled for mass databases) incomplete information and notification: fine between 20.000 and 120.000 euros (4 times-increase for mass databases) Communication secrecy Relevant law Italian Constitution; Code of criminal procedure; Code of conduct for telecommunications (and the related Authority’s overview procedures) Reference http://www.lectlaw.com/files/int03.htm http://www.servat.unibe.ch/icl/it00000_.html http://www.agcom.it/ (in Italian) 349 RAND Europe National Profiles Main provisions in The explicit guarantee provided by the Italian Constitution (art. relation to ID theft 15), citing the secrecy of communication as a fundamental right of all citizens and in all forms of communication, has direct consequences on law provision, assuming that secrecy applies to all domains of communication and thus only describing the cases and aspects where an exception to the is allowed or tolerated in terms of listening, recording, tapping and storing any communication. Any limit to the Constitutional provision shall thus be explicitly authorized by a judge or a judicial part, for purpose of criminal proceeding or law enforcement. Judicial police is the only public body activated and allowed to practically violate the secrecy of communication right. Article 266 of the Italian criminal code provides full discipline of authorization and use of data in case of listening, tapping, storing and interfering with any kind of private communication. The cases allowed for this procedure are: intentional crimes crimes against the Public Administration drugs-related crimes terrorism-related crimes stalking, mobbing or persecution through communication means If any violation is to be made in personal residence of professional main address, it must be justified by the reasonable suspect that the criminal intent and / or activity is based in the perimeter of personal spaces. - The judge can only allow tapping or listening through electronic devices if (art. 267 of Criminal code): he meets serious crime evidences tapping / listening / intrusion in personal communication (emails and similar) is the only mean for a reasonably positive conclusion of inquiry The maximum timeframe is 15 days, exceeding to 30 if necessary. - In case of terrorism or criminal organizations (mafia-related) crime, art. 13 of Law 203 / 1991 provides the framework for exception to art. 267: - 350 listening / tapping is automatically considered as an indispensable mean, thus not compelling any pre-emptive evaluation RAND Europe National Profiles the judge can authorize it while meeting enough crime evidence (and not ‘serious crime evidence’) - intrusion in personal residence and spaces can be allowed with reasonable evidence about the spaces where the crime is being plotted - The maximum duration is 20 days, exceeding up to 40 days Articles 266 – 271 of the Italian criminal law, as amended by Law Decree n.259 (2006): there is a certain degree of homogeneity in terms of sanctions for crimes related to violation of communication secrecy (6 months to 4 years imprisonment, besides damages that the victim might ask in a civil proceedings). The sanction is raised up to 1 to 5 years if the crime is committed by a public officer Article 617 quinquies (installation of electronic devices for communication alteration and/or tapping): 1 to 4 years imprisonment (up to 5 years if the crime is committed by a public officer) Article 618 (revelation of personal correspondence): 1 to 6 months imprisonment; 103 to 516 euros fine - Prescribed sanction • • • Internet Fraud Relevant law Criminal Code Reference http://wings.buffalo.edu/law/bclc/web/website/allcodes2.htm Main provisions in No specific provision in Italian legal system. Possible extensive relation to ID theft application of Article 640 ter of the Italian Criminal code (Electronic Fraud) Prescribed sanction - 6 months to 3 years imprisonment; between 51 and 1.032 euros fine - 1 to 5 years imprisonment and a fine between 309 and 1.549 euros if the crime is committed by a public officer Forgery (offline) Relevant law Criminal Code Reference http://wings.buffalo.edu/law/bclc/web/website/allcodes2.htm Main provisions in There is a specific provision in the Italian criminal code. Article 497 relation to ID theft bis (forgery and counterfeiting of personal and ID docs) is considered a crime. Also any alteration of pre-existing documents is 351 RAND Europe National Profiles specifically treated in the code (art. 495ter). A particular provision is devoted to alteration or forgery of documents, replicating police and security forces badges and / our distinctive signs (art. 497ter) Prescribed sanction - 1 to 4 years imprisonment for ‘possession’; 16 to 64 months imprisonment for ‘forgery of false documents’ - 1 to 6 years imprisonment for alteration of official ID and status documents (study or professional certificates) Forgery (online) Relevant law Criminal Code Reference http://wings.buffalo.edu/law/bclc/web/website/allcodes2.htm Main provisions in No specific provision. Article 617 sexies of Criminal code relation to ID theft encompasses crimes relating to falsification, duplication, alteration of electronic communication and data. Criminal intent is a necessary pre-requisite to envisage a crime; any unintentional violation is considered an administrative crime and is treated as such in courthouses, impelling a fine to the offended person, as a proportion of the violation received. Prescribed sanction 1 to 4 years imprisonment Application in practice Hacking Relevant law Criminal Code Reference Reference http://wings.buffalo.edu/law/bclc/web/website/allcodes2.htm Main provisions in It is treated as an extension to the main provisions listed above, for relation to ID theft the general purpose of guaranteeing secrecy of communication. The Budapest Convention on Cybercrime, being Italy a first-time partner, has updated some provisions, and especially article 615 quinquies of the Italian Criminal Code, referring to the abuse in access to electronic database or computer systems for purpose of interrupting a system, stealing data, hacking a system. Prescribed sanction Case law available? - Up to 2 years imprisonment - Up to 10.329 euros fine With sentence n. 37322 (dated 8 July 2008), the Italian highest Court has condemned a man, being previously a partner in a law firm, for illegal intrusion into his partner computer system. This latter had been moved to another office, and had created a new legal firm, as a consequence of internal dispute between the two partners. 352 RAND Europe National Profiles The Court has recognized the application of article 615 quinquies of the Criminal code, as amended by the provisions of the Budapest Convention. Cybercrime (ID online theft) Relevant law Criminal Code Reference http://wings.buffalo.edu/law/bclc/web/website/allcodes2.htm Main provisions in No specific provision in the Italian legislation, As an extension, the relation relation to ID theft Italia judicial system has historically applied the provision of article 494 of the Criminal code, dealing with substitution (both online and offline) of personal identity. Prescribed sanction Case law available? - Up to 1 year imprisonment In 2008, the Italian Group ‘Poste Italiane’ (Italian Post Company) and one of the major banking and financial institutions (Banca Intesa) have been at the core of a cyber attack with the scope of stealing identities of customers and their account details, in order to then proceed to criminal use of identity data to be used in traditional homebanking systems. The court has recognized the new species of crime and has appealed to a variety of legal provisions. The main reference has been exactly art. 494 of the Criminal code, calling for the intent of criminals to use false ID to get in touch with the companies’ electronic systems and steal money. Judges have of course appealed also to the listed articles 617 sexies of Criminal code (falsification or alteration of electronic communication data), article 640 of the Criminal code (fraud), article 615 ter of the Criminal code (abuse and intrusion into electronic systems) and art. 12 of the Italian Law n. 197 (dated 5 July 1991), on abuse in use of credit cards and payment instruments. Phishing Relevant law Criminal Code; Law 15 July 1991 n. 197 Reference http://wings.buffalo.edu/law/bclc/web/website/allcodes2.htm Main provisions in There is no specific legislation on phishing. As an extension, the relation relat ion to ID theft judicial system has historically applied the already mentioned article 617 sexies of the Criminal Code (falsification and manipulation of electronic communications) and art. 640 ter, Criminal Code (fraud) Prescribed sanction - 6 months to 3 years imprisonment; between 51 and 1.032 euros 353 RAND Europe National Profiles fine - 1 to 5 years imprisonment and a fine between 309 and 1.549 euros if the crime is committed by a public officer - 1 to 4 years imprisonment (1 to 5 years if the crime is committed by an administrator or public officer) Case law available? Cases are very recent and definitely concentrated on the so-called ‘sms phishing’ (or SMishing). The first sentence was provided by the Milan Courthouse in 2007, for a fraud related to phishing through mobile phones. The criminal network asked for sms receivers to immediately provide PIN security extremes for their bank account, if related to a credit card. The sms sender was definitely the credit card company. The judge has sanctioned this crime, appealing to article 617 sexies of Criminal code, with 2 years and 8 months imprisonment, a 1.000 euros fine and 10.000 euros compensation for image damage. As for online phishing, the first and most relevant case involves the Italian group ‘Poste Italiane’, listed by statistics as the preferred ‘fake referent’ of phishing victims. In 2008 a Courthouse has condemned a 24-year old boy for ‘manipulation of electronic communication for the purpose of fraud’ to 1 year and 8 months imprisonment. ID theft reporting mechanisms Polizia Postale e delle comunicazioni (TLC and Postal Police): the specialized police branch in prevention of cyber crimes and investigation for electronic crimes, prevention of hacking, secrecy of communication and the fight to online pedo-pornography. It operates through 20 regional offices and an electronic window for reporting crimes: poltel.XX(province)@poliziadistato.it It also operates through the main police emergency number 112. • • • • Commissariato online (online police office): the most recent and state-of-the art reporting mechanism. Through an electronic window (http://www.commissariatodips.it/) crimes can be reported directly and with instant opening of a crime report CNAIPIC (Anti – cyber crime Centre for National Infrastructures Protection): highly specialized cell of the Italian Police, to prevent and deter cyber threats. An operational window is open 24/24 – 7/7. Nucleo Frodi Telematiche Guardia di Finanza (Fiscal police cell for cyber frauds): highly specialized group to prevent id theft, cyber fraud, forgery, electronic crimes Adiconsum and other consumers’ rights protection: for frauds and ID theft, they promote class actions among consumers. They have toll free numbers and are reachable at given time ranges during the week. 354 RAND Europe National Profiles Personal assessment of the framework for combating ID theft Identity Theft and Fraud cases in Italy have been raising in the last years with a growth of 32 percent in 2007 and 11 percent in 2008, for a total amount of 145 millions of Euros in 2008 161, not including ATM-related frauds, that by the way counts average 500 millions of Euros in Europe within a +148 percent growth rate compared to previous year162. Victims There were 25.000 victims of identity theft in 2008 in Italy. 70 Italian consumers have already been victimized by identity theft every day. Identikit of Victims: Victims men 30/40 years old, living in Campania, Sicilia, Lombardia, Lazio or Puglia, mainly freelancer. Discovery 69 percent discover someone has stolen their identity after six months, months while 22 percent of victims don't learn that their identity has been stolen for two or more years 37 percent of consumers check their credit card reports. The information used to commit identity theft is: in 36 percent of cases the home address, address in 30 percent of cases personal data and finally lost or stolen documents. It can take up to 1.525 days (36.600 hours) to discover the theft, but the average victim will discover discover it in around 206 days (4.944 hours) Hotels as well are listed among the major targets for digital criminals: among those ‘destinations for intruders’ listed in 2009, 38 percent goes to hotels’ hacking, more than the financial industry (19 percent) and retails retails industries (14.2 percent) combined163. Recovery The average victim spends 672 hours (1 month) repairing the damage. There is an important percentage of people (29 percent) who are not aware and find it impossible to know how long it takes to repair all the damage caused. Victims have recognised that insecurity and fear (37 percent) percent) and the loss of time (25 percent) percent ) are amongst the most important after-effects and are very difficult to repair. Victims of ID theft don’t’ know exactly what to do to solve the problem (58 percent); percent only 21 percent of the victims consider that reporting to the police could help; another 14 percent thought that calling their bank could be a solution and engaging a lawyer could help 7 percent of the victims. Costs 161 source: CRIF report 2009 162 source: ENISA ATM Crime Report 2009, www.enisa.europa.eu 163 Source: http://www.ciozone.com/index.php/Security/Hackers-Lurking-in-Hotel-Networks.html, from the TrustWave Survey 355 RAND Europe National Profiles In 2008, existing Identity fraud in Italy totalled 145 million € (30 percent increase over 2007 figures). The average fraud amount is 5.300 € From a general perspective, the Italian legislation to prevent and punish ID theft and other cyber-related crimes is in quick and growing evolution. Within the framework of European cooperation, Italy is updating most of its civil and criminal provisions to fight such phenomena. Currently, two main vacuum emerge from the previous analysis: there is no specific provisions and codification for false ID (online) and for identity theft, when used for criminal purposes. One of the existing provisions applied by judges is referring to art. 494 of the Italian criminal law (namely: ‘substitution of person’). The sanctions are then related to this kind of crime, thus not exactly conveying the potential effects of new cybercrimes in terms of harm and reputation of the offended / victim; Phishing: no consolidated legislation. In some most recent decisions made by civil courts, judges have been forced to appeal to several articles and chapters of the Civil and Criminal Code, with varying interpretations of sanctions. Furthermore, there is a divisive political debate involving the Italian Parliament and social actors about a potential reform of the law on secrecy of communications (mainly based on wiretapping procedures and guarantees). It is highly probable that the law will change very soon, implying a more restrictive interpretation of procedures to authorize wiretapping and harsher sanctions for people violating data protection (especially in terms of news leaks). - 356 RAND Europe National Profiles Japan Applicable laws Laws focusing explicitly on ID theft No legislation has been introduced in Japan that focuses explicitly on ID theft as a specific crime, or that defines such a crime. In practice, ID theft incidents are combated using the general provisions below (in relation to personal data protection, fraud, etc.). No such legislation is currently under consideration to our knowledge. Instead, the policy emphasis in Japan is more on improving awareness of ID theft risks with potential victims and law enforcement bodies. Other laws that may apply to ID theft incidents Data protection laws– laws– Protection of Personal Information Held by Administrative Organs Relevant law Act on the Protection of Personal Information Held by Administrative Organs (Act No. 58 of May 30, 2003) / Gyoseikikan no hoyusuru kojinjoho no hogo ni kansuru horitsu) Reference See http://law.e-gov.go.jp/htmldata/H15/H15HO058.html Main provisions in Article 54 of this Act forbids a person prescribed in the article 53 relation who provides another person with or appropriates the Retained relation to ID theft Personal Information that he or she acquired with respect to his or her work for making illicit gain for himself or herself or for a third party. A Person of Article 53 is an employee or former employee of an Administrative Organ or an individual or a business operator entrusted by an Administrative Organ with the handling of Personal Information engaged in or formerly engaged in the entrusted affairs under Article 6, paragraph 2. Prescribed sanction Apart from damages that the victim may receive in civil proceedings, the violations above can also be criminally sanctioned with imprisonment with work for not more than one year or a fine of not more than 500,000 yen. Data protection laws- Protection of Personal Information Held by Independent Administrative Agencies, etc 357 RAND Europe National Profiles Relevant law Act on the Protection of Personal Information Held by Independent Administrative Agencies, etc. (Act No. 59 of 2003) / Dokuritsugyoseihoujintou no hoyusuru kojinjoho no hogonikansuru horitsu) Reference See http://law.e-gov.go.jp/htmldata/H15/H15HO059.html Main provisions in Article 51 of this Act forbids a person prescribed in the article 50 relation to ID theft who provides another person with or appropriates the Retained Personal Information that he or she acquired with respect to his or her work for making illicit gain for himself or herself or for a third party. A Person of Article 53 is an employee or former employee of an Independent Administrative Agencies or an individual or a business operator entrusted by an Administrative Organ with the handling of Personal Information engaged in or formerly engaged in the entrusted affairs under Article 7, paragraph 2. Prescribed sanction Apart from damages that the victim may receive in civil proceedings, the violations above can also be criminally sanctioned with imprisonment with work for not more than one year or a fine of not more than 500,000 yen. Data protection laws- Protection of Family Registration Relevant Relevant law Family Registration Act (Act No. 224 of December 22, 1947) / Kosekiho) Reference See http://law.e-gov.go.jp/htmldata/S22/S22HO224.html Main provisions in Article 132 of this Act forbids a false report about the matter relation to ID theft which does not need mention of the family register or a record. And this article forbids a false report about the matter on the foreigner. Prescribed sanction Apart from damages that the victim may receive in civil proceedings, the violations above can also be criminally sanctioned with imprisonment with work for not more than one year or a fine of not more than 200,000 yen. Data protection laws- Protection of Residential Basic Book Relevant law Residential Basic Book Act (Act No.81 of July 25, 1967) / Juminkihondaichoho) Reference See http://law.e-gov.go.jp/htmldata/S42/S42HO081.html Main provisions in Article 47 paragraph(1) item(ii) of this Act forbids the next act. 358 RAND Europe relation to ID theft National Profiles by deceit or other wrongful means. Receive the copy of the certificate of residence or the certificate of registered matters of the certificate of residence to prescribe from Article 12 to Article 12-3. Receive the copy of the certificate of residence to prescribe to Article 12-4. Receive the copy of the appendix table of the family registration to prescribe in Article 20. Receive the Basic Resident Register card to prescribe to Article 30-44. Prescribed sanction sanction Apart from damages that the victim may receive in civil proceedings, the violations above can also be criminally sanctioned with a fine of not more than 300,000 yen. Data protection laws- Protection of passport Relevant law Passport Act (Act No.267 of November 28, 1951) / Ryokenho) Reference See http://law.e-gov.go.jp/htmldata/S26/S26HO267.html Main provisions in Article 23 paragraph(1) item(i) of this Act forbids that an act of relation to ID theft the listing the falsehood in documents about the application based on this law or the request and others injustice resemble it and receives the grant of connections application concerned or a passport modifying request or the voyage book. Prescribed sanction Apart from damages that the victim may receive in civil proceedings, the violations above can also be criminally sanctioned with imprisonment with work for not more than 5 year or a fine of not more than 3,000,000 yen. Data protection laws- Protection of driver's license Relevant law Road Traffic Act (Act No.105 of June 25, 1960) / Dorokotsuho) Reference See http://law.e-gov.go.jp/htmldata/S35/S35HO105.html Main provisions in Article 117-4 paragraph(1) item(iv) of this Act forbids receiving relation to ID theft the grant of a driver's license or the overseas driver's license by means of false other injustice. Prescribed sanction Apart from damages that the victim may receive in civil proceedings, the violations above can also be criminally sanctioned with imprisonment with work for not more than one year or a fine of not more than 300,000 yen. 359 RAND Europe National Profiles Data protection laws- Protection of the person oneself oneself confirmation information of the financial institution Relevant law Act on Prevention of Transfer of Criminal Proceeds(Act No.22 of March 31, 2007) / Hanzai ni yoru syueki no itenboushi ni kansuru horitsu) Reference See http://law.e-gov.go.jp/htmldata/H19/H19HO022.html Main provisions in Article 26 of this Act forbids following person: relation to ID theft • §1: A person who has, in the guise of another person, with the intention of receiving the services pertaining to a deposit/savings contract with a specified business operator (limited to those listed in Article 2, paragraph 2, items (i) to (xv) and item (xxxiii); hereinafter the same shall apply in this Article) or having a third party receive such services, received the assignment, delivery or provision of the deposit/savings passbook, the deposit/savings withdrawal card, the information necessary for deposit/savings withdrawal or transfer or other items specified by a Cabinet Order as necessary for receiving the services pertaining to a deposit/savings contract with a specified business operator (hereinafter referred to as a ‘deposit/savings passbook, etc.’) shall be punished. The same shall apply to a person who has received the assignment, delivery or provision of a deposit/savings passbook, etc. for value without justifiable reasons such that the assignment, delivery or provision accompanies an ordinary commercial transaction or financial transaction. • §2: The preceding paragraph shall also apply to a person who has assigned, delivered or provided a deposit/savings passbook, etc. to another person for value while knowing that such other person has the intention prescribed in the first sentence of the same paragraph. The same shall apply to a person who has assigned, delivered or provided a deposit/savings passbook, etc. for value without justifiable reasons such that the assignment, delivery or provision accompanies an ordinary commercial transaction or financial transaction. • §3: A person who has committed, as a business , the crime prescribed in any of the preceding two paragraphs shall be punished. • §4: §1 shall also apply to a person who has solicited 360 RAND Europe National Profiles people or induced people by advertising or other similar methods to commit the crime prescribed in paragraph 1 or paragraph 2. Prescribed sanction Apart from damages that the victim may receive in a civil proceedings: • Violations of §1 and 2, 4 can be criminally sanctioned with a fine of not more than 500,000 yen. • Violations of §3 can be criminally sanctioned with imprisonment with work for not more than 2 years or a fine of not more than 3,000,000 yen, or both. Communications secrecy laws Relevant law Act on Electronic Signatures and Certification Business (Act No. 102 of May 31, 2000) /Denshisyomei oyobi ninshogyomuni kansuru horitsu) Reference See http://law.e-gov.go.jp/htmldata/H12/H12HO102.html Main provisions in Article 41 of this Act forbids Any person who makes a false relation to ID theft application and causes the Accredited Certification Business Operator or the Accredited Foreign Certification Business Operator to perform false certification on the User, with respect to the Certification Business pertaining to the accreditation. Prescribed sanction Apart from damages that the victim may receive in civil proceedings, the violations above can also be criminally sanctioned with an imprisonment for not more than three 3 years or a fine of not more than 2,000,000 yen. Fraud Relevant law Penal Code (Act No. 45 of April 24, 1907) ( / Keiho) Reference See http://www.juridat.be/cgi_loi/loi_N.pl?cn=1867060801 Main provisions in Fraud in general is punished by Article 246 of the Penal Code. relation to ID theft This article sanctions any act of using deception (including use of false names or titles, or any other type of deceptive manipulation or abuse of good faith or credulity) with a view of appropriating someone else’s property. This would apply to any ID theft incidents involving the use of a falsified identity to appropriate property. Prescribed sanction sanction Apart from damages that the victim may receive in civil proceedings, violations of article 246 can be criminally sanctioned with imprisonment with work for not more than 10 361 RAND Europe National Profiles years. Forgery with respect to identity (ie, (ie, falsifying identities on a document) document) Relevant law Penal Code (Act No. 45 of April 24, 1907) ( / Keiho) Reference See http://www.juridat.be/cgi_loi/loi_N.pl?cn=1867060801 Main provisions in Forgery is punished by Article 154 and following of the Penal relation to ID theft Code, including particularly: • Art. 155: A person who , for the purpose of uttering, counterfeits a document or drawing to be made by a public office or a public officer or who alters a document or drawing which has been made by a public office or a public officer shall be punished; • Art. 157(1): A person, who makes a false statement before a public officer and thereby causes the official to make a false entry in the original of a notarized deed, such as the registry or family registry, relating to rights or duties or to create a false record on the electromagnetic record to be used as the original of a notarized deed relating to rights or duties, shall be punished. (2): A person, who makes a false statement before a public officer and thereby causes the official to make a false entry in a license, permit or passport, shall be punished; • Prescribed sanction Art. 159: A person who counterfeits or alters a document or picture relating to rights, duties or certification of facts shall be punished falsifying passports or other identity documents or intentionally using such documents. Apart from damages that the victim may receive in a civil proceedings: • Violations of article 155 (When case using the seal or signature of a public office or a public officer) can be criminally sanctioned with imprisonment between 1 and 10 years. (When case that does not use the seal or signature of a public office or a public officer) can be criminally sanctioned with imprisonment with work for not more than 3 years or a fine of not more than 200,000 yen. • Violations of article 157 (1) can be criminally sanctioned with imprisonment with work for not more than 5 years 362 RAND Europe National Profiles or a fine of not more than 500,000 yen. (2) can be criminally sanctioned with imprisonment with work for not more than 1 years or a fine of not more than 200,000 yen. • Violations of article 159 (The case using the seal or signature of another) can be criminally sanctioned with imprisonment with work for not less than 3 months but not more than 5 years. (The case that does not use the seal or signature of another) can be criminally sanctioned with imprisonment with work for not more than 1 year or a fine of not more than 100,000 yen. Cybercrime - illegal access to information systems (hacking) Relevant law Act on the Prohibition of Unauthorized Computer Access (Act No. 128 of August 13, 1999) (Fuseiakusesukoui no kinshito ni kansuru horitsu) Reference See http://law.e-gov.go.jp/htmldata/H11/H11HO128.html Main provisions in Illegal access to information systems is punished by Article 8 of relation to ID theft Act on the Prohibition of Unauthorized Computer Access, including particularly: • (1): accessing a computer through telecommunications network without authorization using ID and the password etc, of another person (an identification code); • (2): Accessing a computer through telecommunications network without authorization using in-formation or an order (except the identification code) that can avoid restrictions by the access control function; • (3): Accessing a computer through telecommunications network without authorization attacking a security hole. This would apply to any ID theft incidents involving the use of false credentials to gain unauthorized access to an information system, or to steal credentials from such a system. Prescribed Prescribed sanction Apart from damages that the victim may receive in a civil proceedings, violations of article 8 shall be punished by imprisonment with work for not more than 1 year or a fine of not more than 200,000 yen. Cybercrime – illegal data interference Relevant law Penal Code (Act No. 45 of April 24, 1907) (Keiho) 363 RAND Europe Reference National Profiles See http://www.juridat.be/cgi_loi/loi_N.pl?cn=1867060801 Main provisions in Illegal data interference is punished by Article 234-2 and 258, relation to ID theft 259 of the Penal Code, including particularly: • Art. 234-2: A person who obstructs the business of another by interfering with the operation of a computer utilized for the business of the other or by causing such computer to operate counter to the purpose of such utilization by damaging such computer or any electromagnetic record used by such computer, by inputting false data or giving unauthorized commands or by any other means, shall be punished. • Art. 258: A person who damages a document or an electromagnetic record in use by a public office shall be punished. • Art. 259: A person who damages a document or electromagnetic record of another that concerns rights or duties shall be punished. • §4: producing, owning or distributing any devices (including software or data such as usernames/passwords) which were primarily designed or modified to commit the aforementioned crimes, knowing that these could be used to damage data or to disrupt the functioning of an information system. This would apply to any ID theft incidents involving the falsifying of identity information stored in an information system. Prescribed sanction Apart from damages that the victim may receive in a civil proceedings: • Violations of Art. 234-2 can be criminally sanctioned with imprisonment with work for not more than 5 years or a fine of not more than 1,000,000 yen. • Violations of Art. 258 can be criminally sanctioned with imprisonment with work for not less than 3 months but not more than 7 years. • Violations of Art. 259 can be criminally sanctioned with imprisonment with work for not more than 5 years. Cybercrime – computercomputer-related forgery Relevant law Penal Code (Act No. 45 of April 24, 1907) (Keiho) 364 RAND Europe Reference National Profiles See http://www.juridat.be/cgi_loi/loi_N.pl?cn=1867060801 Main provisions in Computer-related forgery is punished by Article 161-2 and 163-2 relation to ID theft and following of the Penal Code, including particularly: theft • Art. 161-2 (1): A person who, with the intent to bring about improper administration of the matters of another person, unlawfully creates without due authorization an electromagnetic record which is for use in such improper administration and is related to rights, duties or certification of facts, shall be punished. • Art. 161-2 (2): When the crime prescribed under the preceding paragraph is committed in relation to an electromagnetic record to be created by a public office or a public officer, the offender shall be punished. • Art. 163-2: A person who, for the purpose prescribed for in paragraph (1) of the preceding paragraph, possesses the card prescribed for in paragraph (3) of the same paragraph, shall be punished. • Art. 163-4(1): A person who, for the purpose of use in for the commission of a criminal act prescribed for in paragraph (1) of Article 163-2, obtains information for the electromagnetic record prescribed for in the same paragraph, shall be punished. Art. 161-2 would apply to, for example, any ID theft incidents involving the use of false identity information in an information system to change its legal impact (eg, changing the name of the holder of a bank account, or performing banking transactions under someone else’s name). Prescribed sanction Apart from damages that the victim may receive in a civil proceedings: • Violations of Art. 161-2 (1) can be criminally sanctioned with imprisonment with work for not more than 5 years or a fine of not more than 500,000 yen. • Violations of Art. 161-2 (2) can be criminally sanctioned with imprisonment with work for not more than 10 years or a fine of not more than 1,000,000 yen. • Violations of Art. 163-2 can be criminally sanctioned with imprisonment with work for not more than 5 years or a fine of not more than 500,000 yen. • Violations of Art. 163-4 (1) can be criminally sanctioned with imprisonment with work for not more than 3 years 365 RAND Europe National Profiles or a fine of not more than 500,000 yen. Cybercrime – computercomputer-related fraud Relevant law Penal Code (Act No. 45 of April 24, 1907) (Keiho) Reference See http://www.juridat.be/cgi_loi/loi_N.pl?cn=1867060801 Main provisions in Computer-related fraud is punished by Article 246-2 of the Penal relation to ID theft Code. In addition to the provisions of Article 246, a person who obtains or causes another to obtain a profit by creating a false electromagnetic record relating to acquisition, loss or alteration of property rights by inputting false data or giving unauthorized commands to a computer utilized for the business of another, or by putting a false electromagnetic record relating to acquisition, loss or alteration of property rights into use for the administration of the matters of another shall be punished. Prescribed sanction Apart from damages that the victim may receive in a civil proceedings, violations of Art. 246-2 can be criminally sanctioned with imprisonment with work for not more than 10 years. Application in practice Claiming a false identity onon-line (eg, (eg, creating an account on a social networking site such as Facebook under someone else’s name) Applicable law(s) Such an incident would likely involve: - forgery and/or computer-related forgery, if the forgery changed the legal impact of the information; - fraud and/or computer-related fraud, if the false identity was used to unlawfully appropriate property. Case law available? Yes. In 1997, the Kyoto District Court did judgment about the case that changed addresses of another person who was registered on host computer of the PC communication to avoid detection of the fraud that the defendant performed with another person name with bulletin board system of the PC communication without permission. The court concluded it as follows. 1. When the defendant forges an ordinary deposit account 366 RAND Europe National Profiles establishment application in the name of another person and sent it to the bank, a forgery of a private document, use punishment is established to the defendant. 2. When the defendant transmits false information to a PC carrier with a PC of the self and let you change addresses of another person who you do the company's person in charge who does not know the feeling, and was registered on a host computer of the company without permission, I electromagnetic record injustice construction in an overhanging style punishment is established to the defendant. The defendant was given sentence of 2 years in prison with a stay of execution for 3 years with the probation. A copy of the decision can be found here: http://www.isc.meiji.ac.jp/~sumwel_h/doc/juris/kdcj-h9-5-9.htm Unlawfully using another person’s credentials (eg, (eg, using someone else’s username or password to send emails emails in his/her name) Applicable law(s) Most of the qualifications above could apply, depending on how the credentials were used: - violation of the data protection act, since the credentials are likely to be considered personal data which is being unlawfully processed; - violation of communication secrecy laws, if use of the credentials can be qualified as unlawful access to data related to electronic communication (eg, to make bank transfers); - fraud and/or computer-related fraud, if falsified messages were sent to unlawfully appropriate property; - unauthorized access to information systems, if the credentials were used to access a system without authorisation. Case law available? Yes. In 2004, the Supreme Court judged the fraud when the defendant pretended to be a holder of a title deed and used a credit card. In 2006, the Supreme Court judged the computer fraud when the defendant input the names of the holder of a title deed of the credit card which he stole into a computer and purchased electronic money. In 2007, the Supreme Court judged the unauthorized access when the defendant steals ID and a password of another person and uses it illegally, and the Supreme Court judged Unauthorized Creation of 367 RAND Europe National Profiles Electromagnetic Records when he changes a password illegally. A copy of the decision of 2004 case can be found here: http://www.courts.go.jp/hanrei/pdf/js_20100319115338769000.pd f A copy of the decision of 2006 case can be found here: http://www.courts.go.jp/hanrei/pdf/js_20100319115528940656.pd f A copy of the decision of 2007 case can be found here: http://www.courts.go.jp/hanrei/pdf/20070810153918.pdf Phishing (using emails emails and/or falsified websites to trick users into giving up identity information, eg, to collect enough information to log on to someone else’s bank account) Applicabl e law(s) The act of phishing itself (independent from what the perpetrator would do with the stolen information) would likely be: - a violation of the data protection act, since the credentials are likely to be considered personal data which is being unlawfully processed; - fraud and/or computer-related fraud, if falsified messages were sent to unlawfully appropriate property; - illegal data interference, if the act of phishing involved entering, changing or deleting information in an information system without authorisation (eg, in order to falsify a website). - unauthorized access to information systems, if the credentials were used to access a system without authorisation. Case law Yes. available? In 2008, the Kyoto District Court ordered 3 years 6 months jail term and fine 1,000,000 yen for the defendant who committed fraud and an unauthorized creation of electromagnetic records, unauthorized access using the personal information of another person whom he got by Phishing. A copy of the decision can be found here: http://www.lli-hanrei.com/cgibin/eoc/hanreibodyctl.cgi?DOC=/docs/HANREI/HSRD0/6350/06350106. html Using spyware to obtain identity information (eg, (eg, installing a computer programme that records which usernames and passwords are used and communicates these to a hacker) 368 RAND Europe Applicable law(s) National Profiles The act of using the spyware itself (independent from what the perpetrator would do with the stolen information) would likely be: - unauthorized access to information systems, if the credentials were used to access a system without authorisation. - a violation of the data protection act, since the credentials are likely to be considered personal data which is being unlawfully processed; - violation of communication secrecy laws, if the collection of the credentials can be qualified as unlawful access to data related to electronic communication; - illegal access to information systems, since installing the spyware is likely a violation of access rights; - illegal data interference, since installing the spyware likely involves installing software on the victim’s information system without authorisation. Case law available? Yes. In 2003, the Tokyo District Court ordered 4 years jail term for the defendant on the charge of computer fraud and an unauthorized creation of electromagnetic records, unauthorized access etc. in the following case. The defendant set a keylogger (keystroke-logging software) to the personal computer which was accessible to the Internet put in the Internet cafe and he obtained user ID / password (identification code) of another person. And then he accessed the server computer of the credit card company using the identification code which obtained illegally and he stored the false information of a victim having changed the address. And he pretended to be a victim and ripped off a PC by an Internet mail order and did it. eg, selling databases of Trafficking in unlawfully obtained personal information ((eg, email addresses to email marketers) Applicable law(s) The act of trafficking in unlawfully obtained information would likely be: - unauthorized access to information systems, if the credentials were used to access a system without authorisation. - violation of penal code, If the person who obtained personal information does a spoofing attack using the information concerned and threatens victim, he/she is charged in a forgery or intimidation, extortion etc. 369 RAND Europe Case law available? National Profiles Yes. In 2004, by the following cases, the Tokyo District Court sentenced defendant A by attempts of extortion for sentence of 2 years in prison with a stay of execution for 4 years and defendant B by unauthorized access and accessoryship on attempts of extortion for sentence of 2 years and 6 months in prison with a stay of execution for 5 years. When defendant A obtained the customer information that defendant B of the co-operator hacked the server computer of the ITC-related company and snitched, he threatened the person in charge of the ITC-related company. But it ended in an attempt. ID theft reporting mechanisms ID theft reporting site In Japan, any reporting mechanisms focused on on-line and offline identity theft no exist. And sites dedicated exclusively to identity theft do not exist. In addition, such a website is not planned. Or it is not known outside even if such a website is planned. However the National Police Agency performs an example search of Phishing and the unauthorized access and the introduction of the consultation services in a website called ‘National Police Agency, Internet safety and security consultation(keisatsucho intanetto anzenn anshin soudan)’ (http://www.npa.go.jp/cybersafety/). Other sites Several other sites play a mainly informative role with respect to ID theft, including notably: • The web site of Ministry of Foreign Affairs (http://www.mofa.go.jp/mofaj/toko/passport/higairei.html) throw out the caveat that ‘damage of the passport acquisition by the loss or theft of the passport or the spoofing attack is taking place at home and abroad’ on November 24, 2009. And a victim introduces a method to let a passport lapse when he/she lose or encounter theft a passport. • CYBERCRIME PROJECT (http://www.npa.go.jp/cyber/) is a website managed by the National Police Agency. This site carries precaution and ways of coping on the cybercrime and the cybercrime measures that the National Police Agency promotes. In this site, the NPA carries statistics such as the arrest situation and the consultation acceptance situation of the cybercrime. And this site carries the research report about cybercrime measures carrying out in an organization 370 RAND Europe National Profiles including the National Police Agency concerned. In addition, this site carries the website that serves as a reference on carrying out cybercrime measures. • @police(http://www.npa.go.jp/cyberpolice/) is a website managed by the NPA. This site is Internet security Portal Site that is intended to prevent cyber crime and cyber terrorism, and keep them from spreading, by quickly providing information gathered by the police on information security to Internet users, and increasing security awareness. • Information-Technology Promotion Agency, Japan (http://www.ipa.go.jp/) undertakes activities in four principal fields that form the pillars of our operations: IT Security, Software Engineering, IT Human Resources Development and Open Software. IPA accept a report of the damage information of the unauthorized access from the information industry, the information section of the company, personal users widely and grasp the actual situation of damage of the unauthorized access, and enlightens the prevention. • Internet Hotline Center JAPAN (http://www.internethotline.jp/index.html) is information addressee of the illegal harmful information (that undertake and mediate, induce an illegal act directly and explicitly) in the Internet in Japan. Counterfeiting of official documents is also included in an object in illegal harmful information. This site started to management on June 1, 2006. As a result of having analyzed reported information, this site reports to the National Police Agency if they recognize it to be illegal information. • National Consumer Affairs Center of Japan (http://www.kokusen.go.jp/): a site disseminating general information in relation to consumer protection, including with respect to common Internet fraud attempts. This site provides practical examples of incidents and recommendations to improve consumer awareness. • Council of Anti-Phishing Japan (http://www.antiphishing.jp/) is active for the purpose of restraint of the phishing damage in Japan. These sites collect and provide case examples and technical information about phishing. Personal assessment of the framework for combating ID theft Globally, it seems that the legal framework for combating ID theft incidents in Japan is sufficiently comprehensive, as there do not appear to be any examples of ID theft incidents which are not covered under present legislation. The law revision to punish information theft is made every individual law, and the argument on the law to regulate comprehensively the identity theft is not really argued. In Japan there is not the portal site to report Internet crime such as Belgian eCops, but various organizations including the National Police Agency continue working on enlightenment. None the less, there are also a few weaknesses. Firstly, when the victim encountered or almost encountered damage of cybercrime, the police offices accept with a consultation and a report, but they do not come to public attention. Victims of ID theft are required to go through official channels (ie, registering a complaint with local police offices). ID theft 371 RAND Europe National Profiles does not appear to take a high priority in investigations, except in cases of clear and significant harm to the victim. Secondly, the investigation of incidents remains complicated in practice, especially in cross border cases. Even when clear evidence of an ID theft incident can be found (eg, a fake profile on a social networking website through which false information is being spread), it can often prove difficult to convince the website operators to take the offending information off-line, and even harder to obtain information from the operator that would make it possible for local judicial authorities to investigate the crime further (eg, IP addresses or mail addresses used by the offender). In practice, this appears to be the main challenge to combating ID theft incidents. In Japan, many people do not seem to understand yet a value placed on the information, and a menace of fraudulent use of information. However because the unauthorized acquisition of the user account is increasingly, Japan Online Game Association accept a request of the introduction on the certification system by the National Police Agency and announced that they introduced common certification system in a member company on March 31, 2010. In this way, the identity theft command interest gradually. 372 RAND Europe National Profiles Latvia Applicable laws Laws focusing explicitly on ID theft In Latvia no laws which focus explicitly on ID theft have been introduced. The phenomenon of ID theft, which may take multiple forms, is combated with the help of the general laws, related to personal data protection, provision of communications services, as well as with the help of various administratively and criminally punishable offences. To our knowledge, no legislation, focusing explicitly on ID theft, is currently being considered. However, in the beginning of March of this year the Cabinet of Ministers has tasked the Ministry of Transportation to develop a new law on cyber security. At the present moment more details on the possible scope of the draft law are unavailable, therefore it is difficult to assess its possible implication on the issue of ID thefts. Other laws that may apply to ID theft incidents Data protection laws Relevant law Law of 23 March 2000 ‘Personal Data Protection Law’ (Fizisko personu datu aizsardzības likums). Reference See http://www.likumi.lv/doc.php?id=4042 Main provisions in ID theft incidents will constitute unlawful processing, as it will relation to ID theft violate legitimacy requirements (Section 7, 11, 12, 13(1), 28), proportionality obligations and purpose restriction (Section 10), transparency obligations (Section 8, 9), obligation to register processing of data at Data State Inspectorate (Section 21, 21(1)), security obligations (Section 25, 26). Prescribed sanction Apart from damages that the victim may receive in civil proceedings: • the violations of the abovementioned obligations can also be subject to administrative liability according to the Latvian Administrative Violations Code: a. Section 204(7), paragraph 1, of the abovementioned law sanctions illegal operations with a natural person’s data, that is, in respect of any illegal operations with a natural person’s data, including collection of data, registration of data, entering, storing, ordering, transforming, utilisation, transfer, transmitting, blocking or deleting of the data. The 373 RAND Europe National Profiles applicable sentence is a warning, or a fine on natural persons in an amount from LVL 50 (EUR 71.14) up to LVL 400 (EUR 569.14), on officials from LVL 100 (EUR 142.28) up to LVL 400 (EUR 569.14), but for legal persons from LVL 1000 (EUR 1422.87) up to LVL 8000 (EUR 11 382.97), with or without confiscation of the articles and tools used to commit the violation; b. Section 204(7), paragraph 2, of the abovementioned law sanctions illegal operations with a natural person’s sensitive personal data. The applicable sentence is a warning, or a fine on natural persons in an amount from LVL 200 EUR 284.57) up to LVL 500 (EUR 711.43), on officials from LVL 300 (EUR 426.86) up to LVL 500 (EUR 711.43), but for legal persons from LVL 3000 (EUR 4 268.61) up to LVL 10 000 (EUR 14 228.71), with or without confiscation of the articles and tools used to commit the violation; c. Section 204(8) of the abovementioned law sanctions failure to provide information to a data subject; d. Section 204(9) of the abovementioned law sanctions processing of natural person’s data without registration; e. Section 204(10) of the abovementioned law sanctions the failure to provide information to the Data State Inspectorate; f. • Section 204(11) of the abovementioned law sanctions the failure to accredit persons at the Data State Inspectorate. The violations of the above mentioned obligations can also be subject to criminal liability according to the Criminal Law: a. Section 145, paragraph 1, of the abovementioned law sanctions illegal operations with a natural person’s data, if a significant harm is caused thereby. The applicable sentence is deprivation of liberty for a term not exceeding two years or custodial arrest, or community service, or a fine not exceeding one hundred times the minimum monthly wage164. 164 In 2010 in Latvia the minimum monthly wage is set LVL 180. 374 RAND Europe National Profiles b. Section 145, paragraph 2, of the abovementioned law sanctions illegal operations with a natural person’s data, if committed thereof by the data controller or data processor for the purposes of revenge, acquiring property or blackmailing. The applicable sentence is deprivation of liberty for a term not exceeding four years or custodial arrest, or community service, or a fine not exceeding one hundred twenty times the minimum monthly wage. c. Section 145, paragraph 3, of the abovementioned law sanctions influencing the system administrator or personal data processor, or the data subject with the help of violence or threats, or maliciously using the confidence, or with the help of deceit, for the purposes of carrying out illegal operations with a natural person’s data. The applicable sentence is deprivation of liberty for a term not exceeding five years or custodial arrest, or community service, or a fine not exceeding two hundred times the minimum monthly wage. d. Section 193(1) of the Criminal Law sanctions the acts of obtaining, manufacturing, distributing, using and storing data, software and equipment for unlawful acts with financial instruments and means of payment. The applicable sentence is deprivation of liberty for a term not exceeding ten years, with or without confiscation of the property (depending on the violation). Communications secrecy laws Relevant law Law of 28 October 2004 ‘Electronic communications law’ (Elektronisko sakaru likums). Reference See http://www.likumi.lv/doc.php?id=96611 Main provisions in Section 19 of this law makes the provider of the electronic relation to ID theft communications services to be responsible for maintenance of security of the data, including personal data, of the users of electronic communications. Section 68 of this law prohibits the provider of the electronic communications services to disclose data about the users and subscribers of electronic communications services, as well as services received, as well as prohibits disclosure of information, which has been circulated via electronic communications. 375 RAND Europe Prescribed sanction National Profiles Apart from damages that the victim may receive in civil proceedings: a. Section 144 of the Criminal Law sanctions violating the confidentiality of correspondence, information in the form of transmissions over a telecommunications network and other information. The applicable sentence is deprivation of liberty for a term not exceeding five years, or community service, or a fine not exceeding one hundred times the minimum monthly wage, with or without deprivation of the right to engage in specific activities for a period not exceeding five years (depending on the violation). b. Section 200 of the Criminal Law sanctions disclosure of non-disclosable information, which is not an official secret. The applicable sentence is custodial arrest or community service or a fine not exceeding fifty times the minimum monthly wage (depending on the violation). Fraud Relevant law Law of 17 June 1998, ‘The Criminal Law’ (Krimināllikums). Reference http://www.likumi.lv/doc.php?id=88966#saist_11 Main provisions in Fraud in general is punishable according to the Section 177 of relation to ID theft the Criminal Law. This Section sanctions acquiring property of another, or of rights to such property, by the use, in bad faith, of trust, or by deceit (fraud). Prescribed sanction Apart from damages that the victim may receive in civil proceedings, violations of Section 177 can be criminally sanctioned with deprivation of liberty for a term not exceeding thirteen years, or with confiscation of property, or custodial arrest, or community service, or a fine not exceeding one hundred fifty times the minimum monthly wage (depending on the violation). Forgery with respect to identity (ie, (ie, falsifying identities on a document) Relevant law Law of 17 June 1998, ‘The Criminal Law’ (Krimināllikums). Reference http://www.likumi.lv/doc.php?id=88966#saist_11 Main provisions in Forgery in general is punishable according to the Section 275 of the Criminal Law. This Section sanctions forgery of a document 376 RAND Europe National Profiles relation to ID theft conferring rights or a release from obligations, or of a seal or a stamp, or using or selling a forged document, seal or stamp. Prescribed sanction Apart from damages that the victim may receive in civil proceedings, violations of Section 275 can be criminally sanctioned with deprivation of liberty for a term not exceeding four years, or community service, or a fine not exceeding sixty times the minimum monthly wage (depending on the violation). Cybercrime - illegal access to information systems (hacking) Relevant law Law of 17 June 1998, ‘The Criminal Law’ (Krimināllikums). Reference http://www.likumi.lv/doc.php?id=88966#saist_11 Main provisions in Arbitrarily accessing automated data processing system in general relation to ID theft is pubishable according to the Section 241 of the Criminal Law. This Section sanctions arbitrarily (without the relevant permission or utilising the rights granted to another person) accessing an automated data processing system or a part thereof, if breaching of data processing protective systems is associated therewith or if significant harm is caused thereby, or if commission thereof is for purposes of acquiring property or if serious consequences are caused thereby. Prescribed sanction Apart from damages that the victim may receive in civil proceedings, violations of Section 241 can be criminally sanctioned with deprivation of liberty for a term not exceeding eight years, or custodial arrest, or a fine not exceeding one hundred and eighty times the minimum monthly wage with or without confiscation of property (depending on the violation). Cybercrime – illegal data interference Relevant law Law of 17 June 1998, ‘The Criminal Law’ (Krimināllikums). Reference http://www.likumi.lv/doc.php?id=88966#saist_11 Main provisions in Interference in the operation of automated data processing relation to ID theft systems and unlawful action with the information included in such systems in general is punishable according to the Section 243 of the Criminal Law. This Section sanctions modifying, damaging, destroying, impairing or hiding of information stored in an automated data processing system without authorisation, or knowingly entering false information into an automated data processing system, as well as interference in the operation of an automated data processing system by entering, transferring, damaging, extinguishing, impairing, changing or hiding 377 RAND Europe National Profiles information, if the protective systems are damaged or destroyed thereby or significant harm is caused thereby, or losses are caused on large scale, or for purposes of acquiring property, or if serious consequences are caused thereby. Prescribed sanction Apart from damages that the victim may receive in civil proceedings, violations of Section 243 can be criminally sanctioned with deprivation of liberty for a term not exceeding eight years, or community service, or a fine not exceeding two hundred times the minimum monthly wage with or without confiscation of property (depending on the violation). Cybercrime – computercomputer-related forgery Relevant law Law of 17 June 1998, ‘The Criminal Law’ (Krimināllikums). Reference http://www.likumi.lv/doc.php?id=88966#saist_11 Main provisions in Computer-related forgery is covered by Section 244, which relation to ID theft sanctions unlawful manufacture, adaptation for utilisation, sale, distribution or storage of such devices (also software), which are intended to influence automated data processing system resources. Prescribed sanction Apart from damages that the victim may receive in civil proceedings, violations of Section 244 can be criminally sanctioned with deprivation of liberty for a term not exceeding ten years, or community service, or a fine not exceeding two hundred times the minimum monthly wage with or without confiscation of property (depending on the violation). Cybercrime – computercomputer-related fraud Relevant law Law of 17 June 1998, ‘The Criminal Law’ (Krimināllikums). Reference http://www.likumi.lv/doc.php?id=88966#saist_11 Main provisions in Fraud in automated data processing systems in general is relation to ID theft punishable according to the Section 177(1) of the Criminal Law. This Section sanctions the act of entering false data into an automated data processing system for the acquisition of the property of another person or the rights to such property, or the acquisition of other material benefits, in order to influence the operation of the resources thereof (computer fraud). Prescribed sanction Apart from damages that the victim may receive in civil proceedings, violations of Section 177(1) can be criminally sanctioned with deprivation of liberty for a term of up to fifteen years, or with confiscation of property, or custodial arrest, or 378 RAND Europe National Profiles community service, or a fine not exceeding two hundred times the minimum monthly wage (depending on the violation). Application in practice Claiming Claiming a false identity onon-line (eg, (eg, creating an account on a social networking site such as Facebook under someone else’s name) Applicable law(s) Such an incident would likely involve: - violations of Personal Data Protection Law, since personal data of the victim would likely be unlawfully processed to make the false identity believable (eg, publication of the victim's name, address, photo, etc.); - violation of communication secrecy, if the false profile results in messages being sent to the false profile which were intended for the real recipient; - forgery, if the incident/act changed the legal impact of the information; - computer-related fraud, if the false identity was used to unlawfully appropriate property. Liability for these violations is established according to the Sections of Latvian Administrative Violations Code or the Criminal Law, described above. Case law available? None publicly available. Unlawfully using another person’s credentials (eg, (eg, using someone else’s username or password to send emails emails in his/her name) Applicable law(s) Most of the qualifications above could apply, depending on how the credentials were used: - violation of the Personal Data Protection Law, since the credentials are likely to be considered personal data which are being unlawfully processed; - violation of communication secrecy, if use of the credentials can be qualified as unlawful access to data related to electronic communication (eg, to make bank transfers); - computer-related fraud, if falsified messages were sent to unlawfully appropriate property; - illegal access to automated data processing systems, if the credentials were used to access a system without authorisation. 379 RAND Europe National Profiles Liability for these violations is established according to the Sections of Latvian Administrative Violations Code or the Criminal Law, described above. Case law available? None publicly available. Phishing (using emails emails and/or falsified websites to trick users into giving up identity information, eg, to collect enough information to log on to someone else’s bank account) Applicable law(s) The act of phishing itself (independent from what the perpetrator would do with the stolen information) would likely be: - a violation of the Personal Data Protection Law, since the credentials are likely to be considered personal data which are being unlawfully processed; - violation of the prohibition to obtain data for unlawful acts with financial instruments and means of payment, if the purpose of obtaining the data was the commission of unlawful acts with financial instruments and means of payment; - violation of communication secrecy, if the collection of the credentials can be qualified as unlawful access to data related to electronic communication; - fraud, if falsified messages were sent to unlawfully appropriate property; - illegal data interference, if the act of phishing involved the fact of entering, changing or deleting information in an information system without authorisation (eg, in order to falsify a website). Liability for these violations is established according to the Sections of Latvian Administrative Violations Code or the Criminal Law, described above. Case law available? None publicly available. Using falsified identity documents (identity cards, social security cards or passports) passports) to unlawfully apply for social benefits Applicable law(s) Such an incident would likely involve violation of Section 275 of the Criminal Law (Forgery, see Section 1.2.2. above). Case law available? None publicly available. Trafficking in unlawfully unlawfully obtained personal information (eg, (eg, selling databases of 380 RAND Europe National Profiles email addresses to email marketeers) Applicable law(s) The act of trafficking in unlawfully obtained information would likely involve: - violation of the Personal Data Protection Law, since the personal information would be unlawfully processed; - violation of prohibition to disclose non-disclosable information. Liability for these violations is established according to the Sections of Latvian Administrative Violations Code or the Criminal Law, described above. Case law available? None publicly available. ID theft reporting mechanisms DDIRV.LV Computer incidents can be reported either by telephone or online at [email protected] to the Computer Security Incident Response Team (DDIRV), which initially was established as a department of the State information network agency. DDIRV’s basic service (for example, recommendations in case of computer security incidents) is available for both registered and unregistered clients, but only IT administrators of State and municipal institutions can voluntarily register for additional benefits like pre-emptive information about threats that might affect their systems. Unregistered clients can receive consultations or recommendations in case of computer security incident. It means that DDIRV consultations and recommendations are available for every person who has submitted incident response and this institution is responsible for security incident handling and prevention in his/her network. Data State Inspectorate Suspected illegal operations with personal data should be reported to Data State Inspectorate, by submitting the application either personally or via post, or by sending information electronically (if signed by a secure electronic signature) to the email address: [email protected]. State Police Any suspected crime should be reported to the State Police. The form in which the information should be submitted, is not defined, except the fact that an anonymous information can not serve as basis to initiate criminal proceedings. Information to the State 381 RAND Europe National Profiles Police can be submitted not only by the victim, but also by the controlling authorities (for example - Data State Inspectorate) or by persons who know about the possible commission of a crime, but who themselves are not victims. Consumer Rights Protection Centre In case the offence is related with quality of the provided services (for example - related to communications), a person can submit an application to the Consumer Rights Protection Centre. The application can be submitted either in traditional written form (personally or via post), electronically, if signed with an electronic signature ([email protected]), or orally. Personal assessment of the framework for combating ID theft It seems that the legal framework for combating ID theft incidents in Latvia is sufficiently comprehensive, as there do not appear to be any examples of ID theft incidents which are not covered under present law. The tradition of defining administratively and criminally punishable offences in codified laws – the Latvian Administrative Violations Code and the Criminal Law, respectively, is long-standing, and therefore an absence of a specific law, focusing explicitly in ID theft, does not seem to create any difficulty, since the existing sources may easily apply to ID theft incidents. On the other hand, earlier this year a large amount of personal data was stolen from the information systems of the State Revenue Service. The data about the incomes of persons, mainly of the employees of the Governmental institutions, is publicly revealed from time to time, and it seems that at the present moment the State Police cannot find persons responsible for the theft of this data. This shows that the difficulties are associated with the practical implementation of the laws rather than with the laws themselves. Moreover, data about the actual number of administrative and criminal offences related to ID theft, as well as a complete database of the court practice, is not publicly available. In addition, lately in Latvia the discussion about the necessity to improve the security of the Governmental communications networks has intensified. In the beginning of March of this year the Cabinet of Ministers has tasked the Ministry of Transportation to develop a new law on cyber security. At the present moment more details about the possible scope of the draft law are unavailable, therefore it is difficult to assess its possible implication on the issue of ID thefts. 382 RAND Europe National Profiles Lithuania Applicable laws Laws focusing explicitly on ID theft No legislation has been introduced in Lithuania that focuses explicitly on ID theft as a specific crime, or that defines such a crime. In practice, ID theft incidents are combated using the general provisions below (in relation to personal data protection, fraud etc.). No such legislation is currently under consideration according to the information available. Other laws that may apply to ID theft incidents Data protection laws Relevant law Law of 11 June 1996 on legal protection of personal data (Lietuvos Respublikos asmens duomenų teisinės apsaugos įstatymas). Reference See http://www3.lrs.lt/pls/inter3/dokpaieska.showdoc_l?p_id=31563 3 Main provisions in As under the Data Protection Directive 95/46/EC, ID theft relation to ID theft incidents will typically constitute unlawful processing, as they will violate legitimacy requirements (Article 5), proportionality obligations and the purpose restriction (Article 3), security obligations (Article 30) and formal obligations such as the prior notification to the Lithuanian State Data Protection Inspectorate (Article 31). Prescribed sanction Apart from damages that the victim may receive in civil proceedings, according to the Lithuanian Administrative Code – Art. 214(14) – the violations above can also be sanctioned with a fine of 145 up to 290 EUR. Communications secrecy laws – existence and technical aspects of electronic communication Relevant law Law of 15 April 2004 on Electronic Communications (Lietuvos Respublikos elektroninių ryšių įstatymas). Reference See http://www3.lrs.lt/pls/inter3/dokpaieska.showdoc_l?p_id=242679 383 RAND Europe National Profiles Main provisions in Article 61 of this Act forbids for the provider of the electronic relation to ID theft communications services, without consent of the actual user of electronic communication services, to (1) listen, record, store or otherwise intercept information and related traffic data or gain secret access to such information and related traffic data; (2) to disclose the content of information transmitted over electronic communications networks and/or related traffic data or to create conditions for gaining access to such information and/or related traffic data. Prescribed sanction Apart from damages that the victim may receive in civil proceedings, violations of Article 61 can be sanctioned by the Lithuanian Communications Regulatory Authority (CRA) with an administrative fine of up to 3 percent of the annual gross income from activities associated with electronic communications, and if it is difficult or impossible to calculate the volume of such activity with a fine of up to LTL 300,000 (about EUR 87,000). For repeated or serious infringement, the CRA has a right to impose a fine of up to 5 percent of the annual gross income from activities associated with electronic communications. However, if it is difficult or impossible to calculate the volume of such activity, a fixed fine is set up to LTL 500,000 (about EUR 145,000). If annual gross income of an undertaking is less than LTL 300,000 (about EUR 86,886), a fine of up to LTL 10,000 (about EUR 2,896) may be imposed by CRA, while in case of a repeated or serious infringement, a fine may be set up to LTL 20,000 (about EUR 5,792). Communications secrecy laws – contents of electronic communication Relevant law Criminal Code (Lietuvos Respublikos baudžiamasis kodeksas). Reference See http://www3.lrs.lt/pls/inter3/dokpaieska.showdoc_l?p_id=366707 Main provisions in Articles 166 forbid the following acts: relation to ID theft • Unlawfully intercepting, recording or observing a person’s messages transmitted by electronic communications networks; • Unlawfully recording, wiretapping or observing a person’s conversations transmitted by electronic communications networks. Additional provisions of Article 168 punish the use of lawfully made recordings which were primarily designed or modified to commit the aforementioned crimes. 384 RAND Europe Prescribed sanction National Profiles Apart from damages that the victim may receive in civil proceedings: • Violations of Article 166 can be criminally sanctioned with a fine, community service, restriction of liberty, arrest or imprisonment up to 2 years; • Violations of Article 168 can be criminally sanctioned with a fine, community service restriction of liberty, arrest or imprisonment up to 3 years. Fraud Relevant law Criminal Code (Lietuvos Respublikos baudžiamasis kodeksas). Reference See http://www3.lrs.lt/pls/inter3/dokpaieska.showdoc_l?p_id=366707 Main provisions in Fraud in general is punished by Article 182 of the Criminal Code. relation to ID theft This article sets forth that a person who, by deceit, acquires another’s property for his/her own benefit or for the benefit of other person(s) or acquires a property right, avoids a property obligation or annuls it shall be punished. This would apply to any ID theft incidents involving the use of a falsified identity to acquire property. Prescribed sanction Apart from damages that the victim may receive in civil proceedings, violations of Article 182 can be criminally sanctioned with community service, fine, restriction of liberty, arrest or imprisonment up to 3 years. Forgery with respect to identity (ie, (ie, falsifying identities on a document) Relevant law Criminal Code (Lietuvos Respublikos baudžiamasis kodeksas). Reference Reference See http://www3.lrs.lt/pls/inter3/dokpaieska.showdoc_l?p_id=366707 Main provisions in Forgery is punished by Article 300 of the Criminal Code, relation to ID theft including: Prescribed sanction • §1: producing a false document, forgery of a genuine document, transport, storage, use, handling of a document known to be false or a genuine document known to be forged; • §2: falsifying a passport, identity card, driving licence or state social insurance certificate. Apart from damages that the victim may receive in a civil 385 RAND Europe National Profiles proceedings: • Violations of Article 300 §1 can be criminally sanctioned with a fine, arrest or imprisonment up to 3 years; • Violations of Article 300 §2 can be criminally sanctioned with arrest or imprisonment up to 4 years. Cybercrime - illegal access to information systems (hacking) Relevant law Criminal Code (Lietuvos Respublikos baudžiamasis kodeksas). Reference See http://www3.lrs.lt/pls/inter3/dokpaieska.showdoc_l?p_id=366707 Main provisions in Illegal access to information systems is punished by Article 198(1) relation to ID theft of the Criminal Code, including particularly: • §1: unlawfully connecting to an information system by cracking the protection means of the information system; • §2: unlawfully connecting to an information system of strategic importance for national security or of major importance for State government, the economy or the financial system. This would apply to any ID theft incidents involving the use of false credentials to gain unauthorized access to an information system, or to steal credentials from such a system. Prescribed sanction Apart from damages that the victim may receive in a civil proceedings: • Violations of §1 can be criminally sanctioned with community service, a fine, arrest or imprisonment up to 1 year; • Violations of §2 can be criminally sanctioned with a fine, arrest or imprisonment up to 3 years. Cybercrime – illegal data interference Relevant law Criminal Code (Lietuvos Respublikos baudžiamasis kodeksas). Reference See http://www3.lrs.lt/pls/inter3/dokpaieska.showdoc_l?p_id=366707 Main provisions in Illegal data interference is punished by Article 196 of the Criminal relation to ID theft Code, including particularly: • §1: destroying, damaging, removing or modifying electronic data or a technical equipment, software or 386 RAND Europe National Profiles otherwise restricting the use of such data thereby causing high damage; • §2: causing damage to the electronic data of an information system of strategic importance for national security or of high importance for State government, the economy or the financial systems as a result of committing the crime in §1. Art. 198(2) forbids the act of unlawfully producing, transporting, selling or otherwise distributing the installations or software, including passwords, login codes or other similar data directly intended for the commission of criminal acts or the act of acquiring or storing them for the same purpose. This would apply to any ID theft incidents involving the falsifying of identity information stored in an information system. Prescribed sanction Apart from damages that the victim may receive in civil proceedings: • Violations of §1 can be criminally sanctioned with community service, fine or imprisonment up to 4 years; • Violations of §2 can be criminally sanctioned with a fine, arrest or imprisonment up to 6 years; • Violations of Art. 198(2) can be criminally sanctioned with community service, a fine, arrest or imprisonment up to 3 years. Cybercrime – computercomputer-related forgery Relevant law Criminal Code (Lietuvos Respublikos baudžiamasis kodeksas). Reference See http://www3.lrs.lt/pls/inter3/dokpaieska.showdoc_l?p_id=366707 Main provisions in Computer-related forgery is punished by Article 196 of the relation to ID theft Criminal Code, including particularly: • §1: destroying, damaging, removing or modifying electronic data or a technical equipment, software or otherwise restricting the use of such data thereby causing major damage; • §2: causing damage to the electronic data of an information system of strategic importance for national security or of high importance for State government, the economy or the financial systems as a result of committing the crime in §1. 387 RAND Europe National Profiles Article 198 of the Criminal Code punishes the act of unlawful observing, recording, intercepting, acquiring, storing, appropriating, distributing or otherwise using the electronic data which shall not be made public. This would apply to, for example, any ID theft incidents involving the use of false identity information in an information system to change its legal impact. Prescribed sanction Apart from damages that the victim may receive in civil proceedings: • Violations of §1 can be criminally sanctioned with community service, fine or imprisonment up to 4 years; • Violations of §2 can be criminally sanctioned with a fine, arrest or imprisonment up to 6 years; • Violations of §1 of Article 198 can be criminally sanctioned with a fine or imprisonment up to 4 years. Cybercrime – computercomputer-related relat ed fraud Relevant law Criminal Code (Lietuvos Respublikos baudžiamasis kodeksas). Reference See http://www3.lrs.lt/pls/inter3/dokpaieska.showdoc_l?p_id=366707 Main provisions in Computer-related fraud is punished by Article 198 of the relation to ID theft Criminal Code, including particularly: • §1: unlawfully observing, recording, intercepting, acquiring, storing, appropriating, distributing or otherwise using the electronic data which shall not be made public; • §2: committing the crime described in §1 to the electronic data which shall not be made public and which are of strategic importance for national security or of high importance for State government, the economy or the financial system. This would apply to, for example, any ID theft incidents involving the modification of information systems in order to obtain usernames/passwords (eg, phishing). Prescribed sanction Apart from damages that the victim may receive in civil proceedings: • Violations of §1 can be criminally sanctioned with a fine or imprisonment up to 4 years; 388 RAND Europe National Profiles • Violations of §2 can be criminally sanctioned with imprisonment up to 6 years. Application in practice In the sections below, we will examine if/how these regulations are applied in practice, including the identification of any known case law and resulting sanctions. Claiming a false identity onon-line (eg, (eg, creating an account on a social networking site such as Facebook under someone else’s name) Applicable law(s) Such an incident would likely involve: - forgery and/or computer-related forgery, if the forgery changed the legal impact of the information; - fraud and/or computer-related fraud, if the false identity was used to unlawfully appropriate property. Case law available? No known case law. Unlawfully using another person’s credentials (eg, (eg, using someone else’s username or password to send emails emails in his/her name) Applicable law(s) Most of the qualifications above could apply, depending on how the credentials were used: - fraud and/or computer-related fraud, if falsified messages were sent to unlawfully appropriate property; - illegal access to information systems, if the credentials were used to access a system without authorisation. Case law available? No known case law. Phishing (using emails emails and/or falsified websites to trick users into giving up identity information, eg, to collect enough information to log on to someone else’s bank account) Applicable law(s) The act of phishing itself (independent from what the perpetrator would do with the stolen information) would likely be: - fraud and/or computer-related fraud, if falsified messages were sent to unlawfully appropriate property; - illegal data interference, if the act of phishing involved entering, changing or deleting information in an information system 389 RAND Europe National Profiles without authorisation (eg, in order to falsify a website). Case law available? No known case law. Using falsified identity documents (identity cards, social security cards or passports) to unlawfully apply for social benefits benefits Applicable law(s) Such an incident would likely involve forgery with respect to identity, which is punished by Article 300 of the Criminal Code. Case law available? Several cases are known, specifically in relation to using the falsified passports. For example the Supreme Court of Lithuania ruled on a case where a person falsified a passport. The defendant was convicted for violation of paragraph 2 of Article 300 of the Criminal Code, which prohibits falsifying a passport, identity card, driving licence or state social insurance certificate, and was sanctioned with imprisonment. The copy of the decision in Lithuanian can be found here: http://www.lat.lt/default.aspx?item=tn_liteko&lang=1 eg, Trafficking in unlawfully obtained personal information ((eg eg , selling databases of email addresses to email marketeers) Applicable law(s) The act of trafficking in unlawfully obtained information would likely be a violation of the communication secrecy laws, since the lawfully gained personal information without the consent of the concerned person would be made public or used for the own benefit or for the benefit of another person. Case law available? No known case law. ID theft reporting mechanisms CERT-LT reporting site To facilitate the reporting of IT security incidents (including, but not limited to, system intrusion, phishing, spam, spyware etc.), a general reporting website (www.cert.lt) was established by CERT-LT in Lithuania. CERT-LT is the Lithuanian National Computer Emergency Response Team whose task is to promote security in the information society by preventing, observing, and solving information security incidents and disseminating information on threats to information security. CERT-LT activities are managed by the Lithuanian Communications Regulatory Authority. CERT-LT publishes annually and quarterly statistical reports on the status and developments on online-related crimes and security treats in Lithuania. CERT-LT website 390 RAND Europe National Profiles provides users with general information regarding online incidents and the ways to combat them. The website of CERT-LT acts as a single contact point, through which IT security incidents can be reported by filling the online form either in Lithuanian or English language. By submitting the report it is required to provide the email address and the description of the IT incident. It should be noted that the CERT-LT website is primarily aimed to allow citizens to report information security incident or threats that they have observed but of which they were not the victims. Victims of such incidents, if any damages were suffered, are recommended to contact directly the local police office or the Lithuanian Cyberpolice (http://www.cyberpolice.lt). State Data Protection Inspectorate Violations of Lithuanian personal data processing laws could be reported to the Lithuanian State Data Protection Inspectorate. The notification of violations of data subject’s rights may be submitted by the data subject either personally or via post, or by sending such information electronically. Police Any suspected crime should be reported to the local police office or to the Cyberpolice. Information about ID theft crime can be submitted to the police not only by the victim, but also by the controlling authorities (eg, State Data Protection Inspectorate or Communications Regulatory Authority) or by persons who know about the possible commission of a crime, but who themselves are not victims. Other sites Apart from CERT-LT website, other websites in Lithuania play mainly informative role with respect to ID theft, including notably the e-safety website (http://www.esaugumas.lt/), managed by the Lithuanian Communications Regulatory Authority. This website aims to improve awareness of Internet security issues through general tips and recommendations to Internet users. Personal assessment of the framework for combating ID theft It could be considered that the legal framework for combating ID theft incidents in Lithuania is sufficiently comprehensive to cover ID theft incidents described in this report. Furthermore, the establishment of a single contact point for reporting IT security incidents (the aforementioned CERT-LT website) should be considered as a positive development in combating IT security threats. 391 RAND Europe National Profiles Nonetheless, there are also some weaknesses. Firstly, the CERT-LT website is promoted as a website for reporting IT security incidents by non-victims. CERT-LT does not investigate the Internet crimes associated with ID theft, it just helps to indicate and solve the problems in the Internet. Victims of ID theft are still required to go through official channels (ie, registering a complaint with local police office or Cyberpolice). This process is still not transparent enough to victims. The follow-up of such complaints can be rather slow and depends on the availability of resources for the investigation. It should be also noted that there is not enough public available information about Internet-based crimes, especially in case of ID theft. Furthermore, the investigation of ID theft incidents in Lithuania remains rather complicated in practice. Even when evidences of an ID theft incident can be found (eg, a fake profile on a social networking website), it could be rather difficult to obtain information from the providers of electronic communication services that would help local judicial authorities to investigate the crime further (eg, IP addresses or mail addresses used by the offender). 392 RAND Europe National Profiles Luxembourg Applicable laws Laws focusing explicitly on ID theft No legislation has been introduced in Luxembourg that focuses explicitly on ID theft as a specific crime, or that defines such a crime. In practice, ID theft incidents are combated using the general provisions below (in relation to personal data protection, fraud, etc.). No such legislation is currently under consideration to our knowledge. Other laws that may apply to ID theft incidents Data protection laws Relevant law Reference Law of 2 August 2002 on the protection of individuals with regard to the processing of personal data, as amended (‘Loi du 2 août 2002 relative à la protection des personnes à l’égard du traitement des données à caractère personne, telle que modifiée’). http://www.cbpweb.nl/downloads_wetten/WBP.PDF?refer=true &theme=purple. Main provisions in As under the Data Protection Directive 95/46/EC, ID theft relation to ID theft incidents will typically constitute unlawful processing, as they will violate legitimacy requirements, proportionality obligations and the purpose restriction, transparency obligations, security obligations and formal obligations such as the prior notification to the Luxembourg Data Protection Authority (the ‘Commission Nationale pour la Protection des Données’). Prescribed sanction Apart from damages that the victim may receive in civil proceedings, the violations above can also be criminally sanctioned with fines of EUR 251.00 to EUR 125,000.00. Communications secrecy laws – contents of communication Relevant law Criminal Code (‘Code Pénal’). Reference http://www.legilux.public.lu/leg/textescoordonnes/codes/code_pe nal/cp_L2T02.pdf http://www.legilux.public.lu/leg/textescoordonnes/codes/code_pe nal/cp_L2T08.pdf Main provisions in Article 149 of the Luxembourg Criminal Code punishes any 393 RAND Europe relation to ID theft National Profiles public servant or employee of the nation postal services who has opened or deleted letters entrusted to the nation postal services. Article 460 of the Luxembourg Criminal Code punishes anyone who has opened or deleted letters entrusted to the nation postal services. Prescribed sanction In addition to damages that may be awarded to the victim in civil proceedings: - anyone liable to an infringement of article 149 of the Luxembourg Criminal Code incurs in an imprisonment between 15 days and 2 months and/or a fine between EUR 251.00 and EUR 5,000.00; - anyone liable to an infringement of article 460 of the Luxembourg Criminal Code incurs in an imprisonment between 8 days and 2 months and/or a fine between EUR 251.00 and EUR 2,000.00. Communications secrecy laws – contents of communication Relevant law Law of 11 August 1982 on privacy (‘Loi du 11 août 1982 concernant la protection de la vie privée’). Reference http://www.legilux.public.lu/leg/textescoordonnes/compilation/r ecueil_lois_speciales/VIE.pdf Main provisions in Article 2 of the law of 11 August 1982 on privacy forbids anyone relation to ID theft to intentionally infringe the privacy of a third party: • by opening, acknowledging by any means whatsoever the content of, or deleting a message sent or forwarded in a sealed envelope, without the consent of its recipient; • by listening to or making listen to, recording or making record, broadcasting or making broadcast by any device whatsoever speeches said in private, without the consent of the speaker. Article 3 of the same law also forbids deploying any device with a view of committing the above-mentioned crime or to render it possible. This would apply to any ID theft incident involving the recording or acknowledging of communications. Prescribed sanction In addition to damages that may be awarded to the victim in civil proceedings, anyone liable to an infringement of the abovementioned provisions incurs in imprisonment between eight days and one year and a fine of EUR 251.00 up to 5,000.00. 394 RAND Europe National Profiles Communications secrecy laws – contents and traffic data relating to electronic communication Relevant law Law of 30 May 2005 on specific provisions for the protection of persons with regard to the processing of personal data in the electronic communications sector and amending articles 88-2 and 88-4 of the Code of Criminal Procedure (‘Loi du 30 mai 2005 relative aux dispositions spécifiques de protection de la personne à l’égard du traitement des données à caractère personnel dans le secteur des communications électroniques et portant modification des articles 88-2 et 88-4 du Code d’instruction criminelle’). Reference See pages 26 to 31: http://www.legilux.public.lu/leg/a/archives/2005/0073/a073.pdf #page=26%23page=26 Main provisions in Article 4 para. 2 of this Law forbids, as a rule, any third party, relation to ID theft other than the user of the electronic service, to listen to, tap or store communications or the traffic data relating thereto, or to be engaged in any other kinds of interception or surveillance thereof, without the consent of the user. The provision generally applies to unlawful acts in which a third party tries to obtain information on the existence of someone else’s electronic communications or of the technical characteristics of such communications (eg, protocols used, IP addresses, duration, usernames/passwords), and in which this information is abused. This would apply to any ID theft incident requiring the collection/abuse of such data. Prescribed sanction Apart from damages that the victim may receive in civil proceedings, any person who contravenes the provisions of the above-mentioned article shall be sentenced to imprisonment between eight days and one year and/or a fine of between 251 and 125 000 Euros. The court may also order the cessation of any processing which contravenes the provisions of this article, subject to financial legal constraint. Fraud Relevant law Criminal Code (‘Code Pénal’). Reference See page 18: http://www.legilux.public.lu/leg/textescoordonnes/codes/code_pe nal/cp_L2T03.pdf Main provisions in Article 231 of the Luxembourg Criminal Code punishes anyone relation who has publicly taken the name of a third party. relat ion to ID theft 395 RAND Europe National Profiles According to Luxembourg case law, this article only sanctions the public use of a third party's name. This article should not apply to the theft of a login or password that remains private. Prescribed sanction Apart from damages that the victim may receive in civil proceedings, any person who contravenes the provisions of the above-mentioned article shall be sentenced to imprisonment between eight days and three months and/or a fine of between EUR 251,00 and EUR 3,000.00. Fraud Relevant law Criminal Code (‘Code Pénal’). Reference See page 11: http://www.legilux.public.lu/leg/textescoordonnes/codes/code_pe nal/cp_L2T09.pdf Main provisions in relation to ID theft 1. Article 496 of the Luxembourg Criminal Code forbids any act of swindling consisting in using a false name or quality in order to obtain assets or values. 2. Article 496-1 of the Luxembourg Criminal Code punishes anyone who has made a false or incomplete statement in order to keep or obtain social benefits. Prescribed sanction Respectively: 1. In the situation ex Article 496 supra, apart from damages that the victim may receive in civil proceedings, any person who contravenes the provisions of the abovementioned article shall be sentenced to imprisonment between 1 month days and 5 years and a fine of between EUR 251,00 and EUR 30,000.00; 2. In the situation ex Article 496-1 supra, apart from damages that the victim may receive in civil proceedings, any person who contravenes the provisions of the abovementioned article shall be liable to imprisonment between 1 month and 5 years and a fine of between EUR 251,00 and EUR 30,000.00. Forgery with respect to identity (ie, (ie, falsifying identities identities on a document) Relevant law Criminal Code (‘Code Pénal’). Reference See p.8 to 14: http://www.legilux.public.lu/leg/textescoordonnes/codes/code_pe 396 RAND Europe National Profiles nal/cp_L2T03.pdf Main provisions in Forgery with respect to identities on a document is punished by relation to ID theft the following articles of the Luxembourg Criminal Code: - Article 194: forgeries committed by public servants in the course of their employment on official documents, including through the use of falsified signatures or by falsifying information in official registers or documents; - Articles 195 and 196: forgeries committed by any other person on public or private documents, including electronic documents by using falsified, added or altered signatures or written statements, as well as the use of falsified documents; - Article 198: falsifying passports or other identity documents or intentionally using such documents. Prescribed sanction Apart from damages that the victim may receive in civil proceedings: • Violations of article 194 (public servants) can be criminally sanctioned with imprisonment between 10 and 15 years; • Violations of article 196 (general public) can be criminally sanctioned with imprisonment between 5 and 10 years; • Violations of article 198 (general public) can be criminally sanctioned with imprisonment between 1 month and 2 years and/or a fine between EUR 251.00 and 12,500.00. Cybercrime - illegal access to information systems (hacking) Relevant law Criminal Code (‘Code Pénal’). Reference See page 16: http://www.legilux.public.lu/leg/textescoordonnes/codes/code_p enal/cp_L2T09.pdf Main provisions in Article 509-1 of the Luxembourg Criminal Code punishes relation to ID theft anyone who has fraudulently accessed to or remained within all or part of an automated data processing system. This would apply to ID theft incidents involving the use of false credentials to gain authorised access to an information system or to steal credentials from such a system. Prescribed sanction In addition to damages that may be awarded to the victim in the course of civil proceedings, anyone who breaches article 509-1 of 397 RAND Europe National Profiles the Luxembourg Criminal Code incurs in imprisonment ranging from 2 months up to 2 years and/or a fine from EUR 500,00 to EUR 25,000.00 of EUR 30,000.00. Where this behaviour causes the suppression or modification of data contained in that system or any alteration of the functioning of that system, the sentence incurred is the imprisonment between 4 months and 2 years and/or a fine from EUR 1,250.00- to EUR 25,000.00. C ybercrime – illegal data interference Relevant law Criminal Code (‘Code Pénal’). Reference See page 17: http://www.legilux.public.lu/leg/textescoordonnes/codes/code_pe nal/cp_L2T09.pdf Main provisions in Article 509-3 of the Luxembourg Criminal Code punishes: relation to ID theft anyone who has, intentionally and regardless of the rights of third parties, directly or indirectly, introduced, cancelled or modified data in an automated data processing system. This would apply to ID theft incidents involving the falsifying of identity information stored in an information system. Prescribed sanction In addition to damages that may be awarded to the victim in the course of civil proceedings, anyone who breaches article 509- of the Luxembourg Criminal Code incurs in imprisonment between 3 months and 3 years and/or a fine between EUR 1,250.00 and EUR 12,500.00. Cybercrime – computercomputer-related forgery Relevant law Criminal Code (‘Code Pénal’). Reference See p. 9: http://www.legilux.public.lu/leg/textescoordonnes/codes/code_pe nal/cp_L2T03.pdf See p. 7: http://www.legilux.public.lu/leg/textescoordonnes/codes/code_pe nal/cp_L2T09.pdf Main provisions in The above-mentioned article 196 of the Luxembourg Criminal relation to ID theft Code, as amended by the law of 14 August 2000 on e-commerce, punishes computer-related forgery and in particular the 398 RAND Europe National Profiles falsification of electronic documents. This would apply to ID theft incidents involving the falsification and the use of such falsified documents. In addition, article 488 of the Luxembourg Criminal Code, as amended by the law of 14 August 2000 on e-commerce, punishes anyone who has counterfeited or altered keys, including electronic keys. However, the law does not define ‘electronic keys’ and the issue whether such ‘electronic keys’ cover logins and passwords has not yet been sorted out by Luxembourg courts. Prescribed sanction Article 196 of the Luxembourg Criminal Code sets forth imprisonment between 5 and 10 years. Article 488 of the Luxembourg Criminal Code sets forth imprisonment between 3 months and 2 years and a fine between EUR 251.00 and 2,000.00. Cybercrime – computercomputer-related fraud Relevant law Criminal Code (‘Code Pénal’). Reference See page 16: http://www.legilux.public.lu/leg/textescoordonnes/codes/code_pe nal/cp_L2T09.pdf Main provisions in Article 509-2 of the Luxembourg Criminal Code punishes relation to ID theft anyone who has, intentionally and regardless of the rights of third parties, obstructed or interfered with the functioning of an automated data processing system. Prescribed sanction The criminal punishment in case of a breach of article 509-2 of the Luxembourg Criminal Code is imprisonment between 3 months and 3 years and/or a fine between EUR 1,250.00 and EUR 12,500.00. Application in practice Claiming a false identity onon-line (eg, (eg, creating an account on a social networking site such as Facebook under someone else’s name) Applicable law(s) Such an incident would likely involve: - a violation of data protection laws, since personal data of the victim would likely be unlawfully processed to make the false identity believable (eg, publication of the victim's name, address, 399 RAND Europe National Profiles photo, etc.); - a violation of communication secrecy laws, if the false profile results in messages being sent to the false profile which were intended for the real recipient; - illegal data interference, if the forgery changed the legal impact of the information; - name theft (publicly), since the name of a third party is publicly and fraudulently used. Case law available? N.A. Unlawfully using another person’s credentials (eg, (eg, using someone else’s username or password to send emails emails in his/her name) Applicable law(s) Most of the qualifications above could apply, depending on how the credentials were used: - a violation of data protection laws, since the credentials are likely to be considered personal data which are being unlawfully processed; - a violation of communication secrecy laws, if the use of the credentials can be qualified as unlawful access to data related to electronic communications (eg, to make bank transfers); - illegal access to information systems (hacking); - possibly, use of falsified keys; - swindling if falsified messages were sent to unlawfully appropriate property. Case law available? N.A. Phishing Phishing (using emails emails and/or falsified websites to trick users into giving up identity information, eg, to collect enough information to log on to someone else’s bank account) Applicable law(s) The act of phishing itself (independent from what the perpetrator would do with the stolen information) would likely be: - a violation of data protection laws, since the email addresses, credentials, etc. are likely to be considered personal data which are being unlawfully processed; - a violation of communication secrecy laws, if the collection of the relevant credentials can be qualified as unlawful access to data related to electronic communication; 400 RAND Europe National Profiles - illegal access to information systems and/or illegal data interference, if the act of phishing involved the fact of entering in, changing or deleting information in an information system without authorisation (eg, in order to falsify a website). Case law available? N.A. Using falsified identity documents (identity cards, social security cards or passports) to unlawfully apply for social benefits Applicable law(s) The act of using falsified identity documents to unlawfully apply for social benefits would likely be: - a violation of data protection laws, since the stolen information enabling to apply for social benefits are likely to be considered personal data which are being unlawfully processed; - forgeries related to identity documents, frauds related to incomplete or false statement in order to obtain social benefits and possibly a fraudulent public use of a third party's name; - illegal access to information systems, since installing the spyware is likely a violation of access rights; - illegal data interference, since installing the spyware likely involves installing software on the victim’s information system. Case law available? N.A. Trafficking in unlawfully obtained personal information (eg, (eg, selling databases of email addresses to email marketeers) Applicable law(s) The act of trafficking in unlawfully obtained information would likely be: - a violation of data protection laws, since the personal information would be unlawfully processed; - a violation of communication secrecy laws, if the personal information contained data related to electronic communications (like email addresses, IP addresses, etc.). Case law available? N.A. There is neither a specific website dedicated to reporting of ID thefts in Luxembourg nor any other specific off-line reporting mechanism. The victims of ID theft are required to go through official channels. In this respect, they have the three following options: 401 RAND Europe National Profiles • They can file a criminal complaint at the offices of the Luxembourg Police Force (‘Police grand-ducale’). The Luxembourg Police Force has also developed an online form enabling the victims to file an online complaint165. However, such an online complaint does not have any legal value and has to be completed by a physical complaint. The Luxembourg Police Force has developed a ‘New Technologies’ service, which is in charge of investigation and prosecution of computer-related crime. This service has eight engineers and two law enforcement officers (‘officiers de police judiciaire’). They are competent to receive end-users complaints. If they feel that complaints are well-founded, they transfer the case to the Luxembourg Public Prosecutor; • Victims can either file a criminal complaint with the Public Prosecutor (‘Procureur d’Etat’) or the competent Examining Magistrate (‘juge d’instruction’). The Luxembourg Public Prosecutor has investigation and prosecution powers on ID thefts as falling under the scope of the provisions of the Luxembourg Criminal Code. By virtue of the discretionary powers principle, the Public Prosecutor decides if further investigation and criminal prosecution have to be launched. The Public Prosecutor can therefore decide to drop the case if he thinks that no criminal offence has been committed. When filing a complaint for damages related to ID theft with the Luxembourg Examining Magistrate, and alleging that a criminal offence can be charged, the Examining Magistrate is obliged to investigate. If the collected evidences are sufficient, the Examining Magistrate launches criminal prosecution before the competent Luxembourg criminal court, otherwise he drops the case. If the action of the ‘victim’ is dismissed, the ‘victim’ may be ordered to pay a fine; • Finally, victims of ID thefts may also introduce a civil action before Luxembourg criminal or civil courts, provided that they know the identity of the defendant. In addition, it is worth mentioning the works undertaken by CASES (www.cases.lu), which is a service of the Luxembourg Ministry of Economy and Foreign Trade. This service aims at increasing awareness of the risks relating to computer systems and information networks among administrations, companies and citizens. Through its website, CASES provides highly-comprehensive information on the theoretical risks relating to the computer systems and information networks (such as spam, spyware, virus, worms, Trojan horses, lost of data, phishing, etc.), including information aiming at children. CASES also provides for information on practical tools against computing risks (such as antivirus and antispyware software, firewalls, cryptography solutions, intrusion detection system, etc.), as well as instructions for use of computing technologies in order to ensure the protection of data. Additionally CASES forms yearly more then 10.000 pupils on information security and offers formations to teachers, parents and companies, in close cooperation with the Ministry of Education. 165 http://www.police.public.lu/functions/contact/index.php 402 RAND Europe National Profiles Thus, CASES holds an essential role in Luxembourg as regards the broadcasting of information on the risks related to Internet, including ID thefts and social engineering. This service is however not entitled to investigate or prosecute on cybercrime. The project CASES has been recognised ‘good practice’ by ENISA and is referenced in ‘Raising Awareness in Information Security - Insight and Guidance for Member States’166. CASES educates end-users through its website www.cases.lu and various prevention campaigns, notably in schools. Especially, CASES has launched in January 2009 a campaign to improve the handling of private data on social networking sites or on blogs or homepages. CASES has also carried out in November 2008 a campaign in order to make people aware of the dangers of social engineering and make them aware of the value of private information. Personal assessment of the framework for combating ID theft Globally, it seems that the legal framework for combating ID theft incidents in Luxembourg is sufficiently comprehensive. Indeed, most ID theft incidents should be covered under present legislation. The highly comprehensive information broadcasted by CASES in relation to cybercrime and ID thefts can also be considered a positive development. However, there is no single point of contact, online or off-line, dedicated to reporting ID theft. Victims of ID theft are required to go through official channels (ie, especially registering a complaint with local police offices). This process is still relatively intransparent to victims, and follow-up to such complaints can be slow, depending on the availability of resources of the investigating magistrates. ID theft does not appear to take a high priority in investigations, except in cases of clear and significant harm to the victim. 166 http://www.cases.public.lu/fr/publications/presentations/2005_12_14_ENISA/index.html 403 RAND Europe National Profiles Malta Applicable laws Laws focusing explicitly on ID theft To date there is no legislation in Malta that explicitly regulates ‘ID theft’ as a specific sui generis offence or contravention, or for that matter, which provides any express definition or sanctions for such a specific crime. At the date of drafting of this Malta Profile we are not aware of any laws which are currently being proposed, planned or otherwise that are being considered with the intention to expressly legislate on such crime or to otherwise expressly provide a definition or provide specific sanctions for the offence of ‘ID theft’. Following a request for information carried out with the Malta Police Force Cyber Crime Unit (hereinafter ‘the Unit’) we can also confirm that the Unit itself is also not aware or involved in any discussions/consultations in this respect. Therefore, at present, in the event that an incident of ID Theft occurs, legal action may be pursued under Maltese law only if the incident may be deemed to constitute or form part of another offence at law (or if it is deemed to be ‘preparatory works’ of such other offence or for instance, ‘conspiracy’ to commit such other offence). Other laws that may apply to ID theft incidents Data protection laws Relevant law The Data Protection Act (Chapter 440 of the Laws of Malta Act XXVI of 2001, as amended by Acts XXXI of 2002 and IX of 2003; Legal Notices 181 and 186 of 2006; 426 of 2007 and Act XVI of 2008) to make provision for the protection of individuals against the violation of their privacy by the processing of personal data and for matters connected therewith or ancillary thereto. Reference See http://docs.justice.gov.mt/lom/legislation/english/leg/vol_13/cha pt440.pdf Main provisions in The Data Protection Act transposes the provisions of the Data relation to ID theft Protection Directive 95/46/EC. ID theft incidents should constitute unlawful processing which violate several obligations of the Controller under the Data Protection Act including amongst others: (i) Article 7 – requirements for processing (including 404 RAND Europe National Profiles the rules relating to proportionality, purpose, transparency, security and data retention); Prescribed sanction (ii) Article 9 – criteria for processing (including unambiguous consent and necessity to process); (iii) Article 29 – prior notification. Apart from damages that the victim may receive in civil proceedings, an offence under the Data Protection Act shall subject the person convicted to a criminally liability of either: (i) a fine (multa) not exceeding EUR 23,293.73; or (ii) to imprisonment for six (6) months, or (iii) to both fine and imprisonment. Communications secrecy laws Relevant Relevant law The Electronic Communications (Personal Data And Protection of Privacy) Regulations (1st April 2004) - Subsidiary Legislation 399.25, Legal Notice 19 of 2003, as amended by Legal Notice 523 of 2004, 425 of 2007 and 199 of 2008. Reference See http://www.gov.mt/frame.asp?l=1&url=http://www2.justice.gov. mt/lom/home.asp Main provisions in Reference to these Regulations are made taking into account that relation to ID theft the definition of ‘ID Theft’ for purposes of this Report includes any action in which a party ‘acquires, acquires, transfers, possesses or uses personal information of a natural person in an unauthorized manner…’. In fact, these regulations protect the confidentiality of communications and for instance, in terms of Regulation 4, no person other the user of communications may listen, tap, store or undertake any other form of interception or surveillance of communications and of any related traffic data, without the consent of the user concerned. These Regulations also provide that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber/user shall only be allowed on condition that the subscriber/user concerned is provided by the controller with clear and comprehensive information, including information about the 405 RAND Europe National Profiles purposes of the processing, in accordance with the Data Protection Act. Failure to abide by this regulation is an offence. In addition, the Regulations further regulate the processing of traffic data and location data and thus stipulate that such processing is to be carried out only by persons acting under the lawful authority as stipulated in the same Regulations and for purposes which are necessary. Failure to abide by this regulation also constitutes an offence. Prescribed sanction A person who suffers any loss or damage because of any contravention of these Regulations is entitled to take action before the competent Civil court seeking compensation for that loss or damage. Otherwise, any person who contravenes or fails to comply with the Regulations shall be liable to the following: (i) an administrative fine not exceeding EUR 23,293.73 for each violation; and (ii) EUR 2,329.37 for each day during which such violation persists, which fine shall be determined and imposed by the Data Protection Commissioner. Communications secrecy laws Relevant law The Maltese Constitution Reference See http://docs.justice.gov.mt/lom/legislation/english/leg/vol_1/chapt 0.pdf Main provisions in The Maltese Constitution provides for the fundamental right and relation to ID theft freedom of persons from the interference with their private correspondence. This right and freedom applies irrespective of the tools/means of communications used and therefore encompasses a much wider protection of personal data in the context of private correspondence. Where private correspondence is interfered with in the execution of the crime of ID Theft, then the injured person may bring an action in Civil Court, First Hall to protect his/her fundamental right in this respect. This action is without prejudice to any other action with respect to the same matter that is lawfully available to the injured person. Prescribed sanction In the event of a breach of such fundamental freedom the Courts are to give such directions as it may consider appropriate for the 406 RAND Europe National Profiles purpose of enforcing, or securing the enforcement of, any of the right and of the protection to which the person is concerned under that right. This action is without prejudice to any other action with respect to the same matter that is lawfully available to the injured person. Communications secrecy laws Relevant law The Electronic Commerce Act (Chapter 426 of the Laws of Malta) of the 10th May, 2002, as amended. Reference See http://docs.justice.gov.mt/lom/legislation/english/leg/vol_13/chap t426.pdf Main provisions in Article 23 of the E-Commerce Act states that it is an offence for a relation to ID theft person to access, copy or otherwise obtain possession of, or to recreate, the signature creation device of another person without authorisation, for the purpose of creating, or allowing or causing another person to create an unauthorised electronic signature using such signature device. In addition it is also an offence for a person to alter, disclose or use the signature creation device of another person without authorisation, or in excess of lawful authorisation, for the purpose of creating or allowing or causing another person to create an unauthorised electronic signature using such signature creation device. More specifically, the E-Commerce Act stipulates that no person shall create, publish, alter or otherwise use a certificate or an electronic signature for any fraudulent or other unlawful purpose and that no person shall misrepresent his identity or authorisation in requesting or accepting a certificate or in requesting suspension or revocation of a certification. Prescribed sanction Any person contravening any of the provisions of the Electronic Commerce Act shall be guilty of an offence and shall, on conviction, be liable to the following: (i) a fine (multa) not exceeding €232,935; or (ii) to imprisonment not exceeding six (6) months; or (iii) to both such fine and imprisonment. In the case of a ‘continuous’ offence the punishment shall be a fine not exceeding €2,325 for each day during which the offence continues. 407 RAND Europe National Profiles Communications secrecy laws – connection to telecoms system Relevant law Criminal Code, Chapter 9 of the Laws of Malta as amended. Reference See http://docs.justice.gov.mt/lom/legislation/english/leg/vol_1/chapt 9.pdf Main provisions in Article 298A of the Criminal Code – Fraud provides that relation to ID theft constructing, altering, making, or possessing (or otherwise selling or purchasing) any device with which one may ‘unlawfully connect with any telecommunication system’ is an offence. Prescribed sanction Apart from damages that the victim may receive pursuant to civil proceedings, liability for an offence in terms of Article 298A shall be as follows: (a) where the offence is committed for gain or by way of trade, to imprisonment for a term not exceeding one year or to a fine (multa) of not more than EUR4,658.75 or to both such fine and imprisonment; and (b) in all other cases, to a fine (multa) of not more than EUR2,329.37. Identity Cards Act Relevant law The Identity Cards Act, Chapter 258 of the Laws of Malta (Act LI of 1975, as amended). Reference See: http://docs.justice.gov.mt/lom/legislation/english/leg/vol_6/chapt 258.pdf Main provisions in Under this Act, an ‘identity card’ is defined as a document issued relation to ID theft in respect of a person under and in accordance with this Act for the purpose of identifying that person. Article 12 of the Act states that no person other than the holder of an identity card issued under the Act (or the authorised agent of the holder) shall have in his possession or make any use whatever of any identity card and any person who comes into possession of an identity card issued to some other person is to immediately deliver or forward it to the holder thereof. Prescribed sanction Any person who contravenes any of the provisions of the Act shall in respect of each offence, be liable to a fine (multa) not exceeding 408 RAND Europe National Profiles EUR 232.94 and, in the case of a continuing offence, to a fine (multa) not exceeding EUR 11.65 for each day during which the offence continues. In addition, a person shall be liable on conviction to imprisonment for a period of not less than two (2) years and not exceeding five (5) years if with ‘intent to deceive’ does any of the following: (i) contravenes such provisions or makes any false statement; or (ii) gives any false information; or (iii) produces any false document, for any of the purposes of this Act, knowing the same to be false; or (iv) forges an identity card or any other document whatsoever required by, or intended for, any of the purposes of this Act; or (v) aids or abets the commission of any offence against the Act. Passport Ordinance Relevant law The Passport Ordinance, Chapter 61 of the Laws of Malta (10th July, 1928) enacted by Ordinance III of 1928, as amended. Reference See : http://docs.justice.gov.mt/lom/legislation/english/leg/vol_3/chapt 61.pdf Main provisions in Under the Act, a ‘passport’ is defined as a certificate of identity, relation to ID theft identity card or official document issued for travel purposes by the competent authority. An incident of ID Theft may be deemed to occur in the event that a passport is used unlawfully, including as follows: Article 3 – Transfer of Passport: Passport: it is an offence if a person who is in possession of a passport whether issued to him by a competent authority or not, transfers such passport to any other person or receives a passport transferred to him by any other person. Article 4 – Use of Passport Passport issued to another person: person it is an offence if a person makes use, or attempts to make use of a passport issued to any other person. Article 5 – Falsification of Passport: it is an offence if any 409 RAND Europe National Profiles person forges, alters or tampers with any passport or uses or has in his possession any passport which he knows to be forged, altered or tampered with. Article 6 – False Statement in Application for Passport: it is an offence if a person knowingly makes any false statement in any application or recommendation in connection with the issue or renewal of a passport. Prescribed sanction The following sanctions shall apply:(i) An infringement of Article 3 – imprisonment for a term not exceeding two years; (ii) An infringement of Article 4 - imprisonment for a term not exceeding six months. (iii) An infringement of Article 5 – imprisonment for a term from six months to two years. (iv) An infringement of Article 6 - imprisonment for a term not exceeding six months. Fraud Relevant law Criminal Code, Chapter 9 of the Laws of Malta as amended. Reference See http://docs.justice.gov.mt/lom/legislation/english/leg/vol_1/chapt 9.pdf Main provisions in The Criminal Code regulates ‘Fraud’ and ancillary offences of relation to ID theft fraud under Sub-title III of Title IX of the Act. The Act provides offences with respect to specific acts of fraud such as (i) fraud by ‘misappropriation’ of anything entrusted to a person belonging to another or (ii) fraud relating to insurance or (iii) fraudulent breach of trust in respect to papers signed in blank etc. More specifically however, Article 308 of the Criminal Code provides an offence in the event that a person ‘by means of any unlawful practice, or by the use of any fictitious name, or the assumption of any false designation, or by means of any other deceit, device or pretence calculated to lead to the belief in the existence of any fictitious enterprise or of any imaginary power, influence or credit, or to create the expectation or apprehension of any chimerical event, shall make any gain to the prejudice of another person’. Article 309 of the Criminal Code deals with all other cases of fraudulent gain and therefore provides for an offence in the event 410 RAND Europe National Profiles that a person makes ‘any other’ fraudulent gain not mentioned in Article 308. Prescribed sanction Aside from civil damages which may be afforded in civil proceedings, the following applies: (i) violations of article 308 can be criminally sanctioned with fines of imprisonment for a term from seven months to two years; (ii) violations of article 309 can be criminally sanctioned by imprisonment for a term from one to six months or to a fine. In both cases however the following may apply: (1) when the amount of the damage caused by the offender exceeds €2,329.37 the punishment shall be that of imprisonment from thirteen months to seven years; (b) when the amount of the damage caused by the offender exceeds €232.94 but does not exceed €2,329.37 the punishment shall be that of imprisonment from five months to three years (unless higher according to the Criminal Code); (c) when the amount of the damage caused by the offender does not exceed €23.29 the offender shall be liable to imprisonment for a term not exceeding three months; (d) when the amount of the damage caused by the offender does not exceed €11.65, the offender shall be liable to imprisonment for a term not exceeding twenty days or to a fine or to the punishments established for contraventions. Forgery with respect to identity (ie, (ie, falsifying identities on a document) Relevant law Criminal Code, Chapter 9 of the Laws of Malta as amended. Reference See http://docs.justice.gov.mt/lom/legislation/english/leg/vol_1/chapt 9.pdf Main provisions in The offence of forgery is governed by Article 166 to 177 of the relation to ID theft Criminal Code, including particularly: • Art. 166: forgery of Government debentures or opening of credit relative to such loan in the books of Government Treasury; • Article 167: forgery of any schedule, ticket, order or other document whatsoever, upon the presentation of which any payment may be obtained, or any delivery of goods 411 RAND Europe National Profiles effected, or a deposit or pledge withdrawn from any public office or from any bank or other public institution established by the Government, or recognized by any public act of the Government; • Article 170: forgery of Government or judicial or official acts; • Articles 179-182: forgeries committed by public officers or public servants; • Article 183: forgery of any authentic and public instrument or of any commercial document or private bank document, by counterfeiting or altering the writing or signature, by feigning any fictitious agreement, disposition, obligation or discharge, or by the insertion of any such agreement, disposition, obligation or discharge in any of the said instruments or documents after the formation thereof, or by any addition to or alteration of any clause, declaration or fact which such instruments or documents were intended to contain or prove; • Article 187: forgery of private writings; • Article 188: false declaration or information to a public authority; • Article 189: any other type of forgery not provided for above. NB Pursuant to Article 189A of the Criminal Code the aforementioned Articles apply to forgery of any ‘document’, ‘instrument’ ‘writing’ ‘book’ ‘card, disk, tape, soundtrack or other device on or on which information is or may be recorded or stored by mechanical, electronic or other means.’ Prescribed sanction Aside from damages that the victim may receive in a civil proceedings the offences for under the following Articles shall be: (i) Article 166: imprisonment for 3 up to 5 years with or without solitary confinement. If the forgery consists of the endorsement of a genuine Government debenture, 13months up to 4 years with or without solitary confinement. (ii) Article 167: 13months up to 4 years with or without solitary confinement; (iii) Under Article 166,167 if committed by Public Officer or Servant the punishment shall be increased by 1 degree; 412 RAND Europe National Profiles (iv) Article 170: imprisonment of 2 up to 4 years with or without solitary confinement (increased by 1 degree if the fact is committed by Public Officer/Servant); (v) Articles 179-182 : imprisonment of 18months up to 3 years with or without solitary confinement; (vi) Article 183: imprisonment of 13months up to 4 years with or without solitary confinement; (vii) Article 184 adds that any person who shall knowingly make use of any of the false acts, writings, instruments or documents mentioned in the preceding articles of this sub-title, shall, on conviction, be liable to the punishment established for the forger; (viii) Article 187: liable to imprisonment for a term from seven months to three years, with or without solitary confinement. Whosoever shall knowingly make use thereof, shall be liable to the same punishment; (ix) Article 189: 6 months imprisonment (or 7months to 1 year imprisonment if the fact is committed by Public Officer). In all crimes of forgery when committed by public officers or servants, the punishment of perpetual general interdiction shall always be added to the punishment laid down for the crime. Cybercrime - illegal access to information systems (hacking) Relevant law Criminal Code, Chapter 9 of the Laws of Malta as amended. Reference See http://docs.justice.gov.mt/lom/legislation/english/leg/vol_1/chapt 9.pdf Main provisions in Computer misuse and illegal access to information systems is relation to ID theft regulated by Articles 327B to 337H of the Criminal Code, particularly by Article 337C which could apply in cases where the use of false credentials to gain unauthorized access to an information system, or to steal credentials from such a system constitutes ID theft. • Article 337C(1)(a): unlawful access to or use of information without authorisation, that is, if a persons uses a computer or any other device or equipment to access any data, software or supporting documentation 413 RAND Europe National Profiles held in that computer or on any other computer, or uses, copies or modifies any such data, software or supporting documentation without authorisation; Prescribed sanction • Article 337C(1)(b): outputting data/software/supporting documentation authorisation; of without • Article 337C(1)(c): copying of data/software/supporting documentation without authorisation; • Article 337C(1)(d): preventing access to data, software or supporting documentation without authorisation; • Article 337C(1)(e): impairing operation of a system without authorisation; • Article 337C(1)(f): data/software/supporting authorisation; • Article 337C(1)(g): installs, moves, alters, destroys, varies or adds data/software/supporting documentation without authorisation; • Article 337C(1)(h): discloses a password or other means of access;. • Article 337C(1)(i):- uses another person’s access code, password, user name, electronic mail address or other means of access or identification information in a computer. takes possession of documentation without Apart from damages that the victim may receive in civil proceedings: • Any person who contravenes any of the above-mentioned provisions shall be guilty of an offence and shall be liable on conviction to a fine not exceeding €23,293.73 or to imprisonment for a term not exceeding four years, or to both such fine and imprisonment. • If the same act is detrimental to any function or activity of the government, public service or utility OR by an employee to the prejudice of his employer OR in most cases of recidivism: the fine shall be of €232.94 up to €116,468.67 or to imprisonment or to both fine and imprisonment. For recidivists the penalty shall be of no less than €1,164.69. • A person who produces any material or does any other act preparatory to or in furtherance of the commission of any 414 RAND Europe National Profiles offence under these Articles (or any accomplice in such offences) shall be guilty of that offence and shall on conviction be liable to the same punishment provided for the offence. Cybercrime – illegal data interference Relevant law See under the sections devoted to ‘Communications secrecy laws – connection to telecoms system’ and to ‘Cybercrime – illegal access to information systems (hacking)’. Reference Main provisions in Particularly relevant is the abovementioned Article 337C(1)(g) of relation to ID theft the Criminal Code. Prescribed sanction Cybercrime – computercomputer-related forgery Relevant law Criminal Code, Chapter 9 of the Laws of Malta as amended. Reference See http://docs.justice.gov.mt/lom/legislation/english/leg/vol_1/chapt 9.pdf Main provisions in See section above regarding Computer Misuse and sections relation to ID theft regarding forgery above (mainly Article 337C(1)(g): installs, moves, alters, destroys, varies or adds data / software / supporting documentation without authorisation.) Prescribed sanction Sanctions as described above may apply in relation to both offences of general forgery and of computer misuse. Cybercrime – computercomputer-related relat ed fraud Relevant law Criminal Code, Chapter 9 of the Laws of Malta as amended. Reference See http://docs.justice.gov.mt/lom/legislation/english/leg/vol_1/chapt 9.pdf Main provisions in See sections above regarding Computer Misuse - Article 337C of relation to ID theft the Criminal Code. However Identity theft by computer-related fraud could also fall under the general Articles on Fraud discussed above. Prescribed sanction sanction Sanctions as described above may apply in relation to both 415 RAND Europe National Profiles offences of general fraud and of computer misuse. Cybercrime – Threats, Private Violence and Harassment Relevant law Criminal Code, Chapter 9 of the Laws of Malta as amended. Reference See http://docs.justice.gov.mt/lom/legislation/english/leg/vol_1/chapt 9.pdf Main provisions in Article 249 of the Criminal code provides that the threatening of relation to ID theft the commission of any crime whatsoever by means of any writing, whether anonymous or signed or in a fictitious name is an offence. This applies when, for instance, the incidence of ID Theft allows a person to threaten the commission of a crime (eg, by sending email to the victim of the ID theft with threats or by using the victim’s email to send threats to others). Other offences which also can be derived from or related to ID Theft include: Prescribed sanction (i) Article 250 – blackmail: that is, when a person with intent to extort money or any other thing, or to make gain, or with intent to induce another person to execute, destroy, alter, or change any will, or written obligation, title or security, or to do or omit from doing any thing, shall threaten to accuse or to make a complaint against, or to defame, that or another person; (ii) Article 251A – Harassment: that is, when a person pursues a course of conduct: (a) which amounts to harassment of another person, and (b) which he knows or ought to know amounts to harassment of such other person.. On conviction of a crime in terms of Article 249, the accused shall be liable to imprisonment for a term from one to six months. On conviction of a crime in terms of Article 250, the accused shall be liable to imprisonment for a term from five to eighteen months. If the offender attained his end, imprisonment for a term of seven months to three years. On conviction of a crime in terms of Article 251A, the accused shall be liable to the punishment of imprisonment for a term from one to three months or to a fine of not less than EUR2329.37 and not more than EUR 4658.75, or to both such fine and imprisonment: The punishment may be increased by one degree 416 RAND Europe National Profiles in certain cases (eg, if the offence is against one’s own father or mother). Application in practice In the sections below, we will examine if/how these regulations are applied in practice, including the identification of any known case law and resulting sanctions. Claiming a false identity onon-line (eg, (eg, creating an account on a social networking site such as Facebook under someone else’s name) Applicable law(s) Creating a ‘false identity online’ (that is, the creation of a fictitious non-existing identity online) is not in itself illegal under Maltese law unless it is deemed to constitute another offence (such as fraud) which is intended to be committed or is committed via the creation of a false identity. If rather than the claiming of a ‘false identity’ one falsely claims to be someone who he is not (that is he/she commits an incident of Identity Theft by claiming to be someone else and entering into the identity of that someone else) then such an incident would likely involve: (a) violation of data protection laws: since personal data of the victim would likely be unlawfully processed to make the false identity believable (eg, publication of the victim's name, address, photo, etc.); (b) forgery / computer-related forgery, if the incident of ID Theft meant that any information/document was forged by the offender; (c) violation of the ID Card Act or the Passport Ordinance if unlawful reference to an ID Card or Passport (or to a false Id card or passport) is made to by the offender when creating the false identity; (d) fraud / computer-related fraud, if the false identity was used to unlawfully make gain; (e) Threats / Harassment depending on how the false identity was used/abused. Case law available? Yes. For instance, in the case Police Vs Olaf Cini et (Court of Magistrates, Criminal), Case No. 64/2006, Olaf Cini was found guilty of committing an offence in terms of Article 187 and 188, (Forgery of Private writings and false declaration or information to a public authority respectively) and this primarily because he 417 RAND Europe National Profiles had sent an email which he drafted but which he signed with someone else’s details and without that other person’s consent or authorisation. Considering that he was a recidivist (by having previously committed criminal offences) the Court sentenced Mr Cini to 10 months imprisonment. Unlawfully using another person’s credentials credentials (eg, (eg, using someone else’s username or password to send emails emails in his/her name) Applicable law(s) (As above) Most of the qualifications above could apply, depending on how the credentials were used: (a) violation of the data protection act, since the credentials are likely to be considered personal data which is being unlawfully processed; (b) fraud and/or computer-related fraud, if falsified messages were sent to unlawfully appropriate property; (c) violation of the ID Card Act or the Passport Ordinance if unlawful reference to an ID card or Passport (or to a false ID card or passport) is made to by the offender when creating the false identity; (d) illegal access to information systems, if the credentials were used to access a system without authorisation. Case law law available? Maltese Courts have pronounced several judgements relating to fraud by persons using the credentials of another person. For instance: Police Vs Mary Magdalene Sultana (Case Number 12/2010 – Court of Magistrates, January 2010): 2010) in this case Mary Magdalene Sultana was accused of committing an offence in terms of Article 308, 309 and 310 of the Criminal Code and also 183, 184 and 258 of the Criminal Code by defrauding a bank of EUR18,600 after using a false identity when she presented herself at the bank’s branch and pretended to be somebody else (who in fact turned out to be her friend). In fact, she was also accused of first appearing at the Identity Card department and there she applied for an identify card on the name of another person (claiming that she – or rather that other person - had lost her identity card). Following the issuance of this ID card she managed to obtain the loan of EUR18,600 from the bank. In this Case the Court took into consideration that the accused admitted to the crime at the early stages of the case and therefore found her guilty and subjected her to 2 years imprisonment. However since the accused was willing to pay the sum she 418 RAND Europe National Profiles unlawfully obtained (EUR18,600) the court chose to suspend the sentence for 4 years to give her an opportunity to reform. In another case, Police Vs Brenda Mallia (Case No. 289/2009), Court of Magistrates, Criminal, of the 27th March 2009, 2009 Mallia was accused on several counts for having committed several offences under the Criminal code, including amongst others, an offence in terms of unlawful access to, or use of, information under Article 227C(1). Mallia admitted to committing all the offences and the court proceeded to sentence her to 26 months imprisonment. Phishing (using emails emails and/or falsified falsified websites to trick users into giving up identity information, eg, to collect enough information to log on to someone else’s bank account) Applicable law(s) The act of phishing itself (independent from what the perpetrator would do with the stolen information) would likely be: (a) a violation of the data protection act, since the credentials are likely to be considered personal data which is being unlawfully processed; (b) violation of communication secrecy laws (The Electronic Communications (Personal Data And Protection of Privacy) Regulations) if the collection of the credentials can be qualified as an offence under the Regulations as described above; (c) fraud and/or computer-related fraud, if information such as passwords etc are obtained fraudulently; (d) violation of the ID Card Act or the Passport Ordinance if unlawful reference to an ID Card or Passport (or to a false ID card or passport) is made to by the offender when creating the false identity; (e) harassment under the criminal code if harassment techniques are used to obtain information; (f) illegal data interference, if the act of phishing involved entering, changing or deleting information in an information system without authorisation (eg, in order to falsify a website). Case law available? No, to our knowledge until the date of publication of this Report the Maltese Courts have not produced any judgements on cases relating to the use of ‘phishing’. 419 RAND Europe National Profiles Using falsified identity documents (identity cards, social security cards or passports) to unlawfully apply for social benefits Applicable law(s) The following legal sources will apply in the field: (1) The Social Security Act (Chapter 318 of the Laws of Malta: this Act states that if any person, for the purposes of obtaining any Social Security payment, whether for himself or for some other person, (i) knowingly or recklessly makes any false statement or false representation; or (ii) produces or furnishes, or causes or knowingly allows to be produced or furnished, any document or information which he knows to be false in a material particular; or (iii) fraudulently fails or omits to report to the Director of the competent Social Security institution, before receiving any payment, any change of circumstances which has or may have a material bearing on the amount, or mode of giving such payment, shall, on conviction, be liable to a fine of not less than EUR 46.59 but not exceeding one and a half times the amount of benefit, pension, allowance or assistance unlawfully received or EUR 1,164.69, whichever shall be higher, or to imprisonment for a term of not less than three months but not exceeding twelve months or to both such fine and imprisonment. Article 118 of the said Act specifically regulates (i) the forgery of a ‘National Insurance Stamp’ and (ii) the making, or possession without lawful justification of any dye, plate, instrument or material for forging such stamps or (iii) knowingly distributing or using a forged insurance stamp or (iv) assists or abets in doing any such acts. Such acts are subject to imprisonment of not less than three years but not exceeding seven years; (2) The Criminal Code (sections on Forgery and/or Fraud); (3) The Passports Ordinance or the Identity Card Act if such documents are forged or used in breach of such laws. Case law available? available? There are several judgements of the Courts of Malta relating to such subject matter, such as for instance; o Police Vs Luigia Zarb Case No. 966/2005 (Court of Magistrates). In this case the accused (Zarb) was found guilty of (i) using false names and of committing fraud in terms of Articles 308, 309 and 310 of the Criminal Code, (ii) of making false declarations in documents intended for a public authority in terms of Article 188 of the Criminal code and (iii) of infringing Article 117 of the Social Security Act by declaring false information about her inheritance and by presenting falsified documentation. Since the accused admitted guilt on all counts and collaborated with the police the court found her guilty on all counts and condemned her 420 RAND Europe National Profiles to twelve months imprisonment suspended for 2 years; o Police Vs Keith Agius (Case No 1216/2009, Court of Magistrates, Criminal, February 2010) The merits of this case were very similar to that of the above-mentioned Luigia Zarb case. In this case Agius, the accused, was found guilty of committing an offence in breach of Articles 188, 308 and 310(1)a of the Criminal Code, Article 14 of Chapter 258 (the Identity Card Act) and Article 117(1)ii of the Social Security Act. However, since Agius admitted guilt the court granted him absolute discharge in terms of Article 22 of the Probation Act (Chapter 446 of the laws of Malta) on condition that he commits no further crime for 3 years; o Police Vs Tarcisio Barbara (Case No. 1040/2004, Court of Magistrates, Criminal, October 2009). In this case the Court sentenced the accused to six months imprisonment, suspended for 2 years since his police conduct was clean, he admitted his guilt, and paid back to the government all amounts which he unduly took within a short period. Trafficking in unlawfully obtained personal information (eg, (eg, selling databases of email addresses to email marketeers) Applicable law(s) Trafficking in unlawfully obtained information would constitute: (a) a violation of the data protection act, since the personal information would be unlawfully processed; (b) a violation of communication secrecy laws, if the personal information contained data related to electronic communication (like email addresses, IP addresses, etc.).; (c) possibly a claim in terms of intellectual property law (including infringement of database rights) if the information/database was stolen from its rightful owner. Case available? law No, to our knowledge until the date of publication of this Report the Maltese Courts have not produced any judgements on cases relating to the use of ‘trafficking in unlawfully obtained personal information’. ID theft reporting mechanisms In Malta there is no website reporting mechanism exclusively focused on ID Theft. However reference is made to the following general reporting site which would cover the reporting of such incidents. 421 RAND Europe National Profiles www.polizija.gov.mt - reporting site This website is an e-government initiative focusing primarily on the reporting by any person whatsoever of any criminal acts and on the provision of information to the police about ongoing criminal activity or suspected criminal activity. The portal is managed by the Malta Police Force. The scope of the portal is not focused purely on ID Theft incidents but is rather a tool which applies to all types of crimes including offences which, as discussed above, could also constitute or include elements of ID Theft and which are not necessarily Internet-related crimes. The website is a single contact point which is available in both the Maltese language and the English language. Formal reporting of a crime must be done in one’s own name, in the name of a third-party or in the name of a company. Certain obligatory fields must be completed, including details about what was seen at the incident, the locality and a description of the location, the date and time-period. Other general information can be provided to the Police via the website without having to formally report a crime, including anonymously. The website also allows the user to follow up on any report which was filed by him/her and to obtain information from the Police force relating to the incident. Other sites Apart from the www.polizija.gov.mt portal, some other websites (also on private initiative) play a mainly informative role with respect to computer crime including ID theft. Most notably reference is made to: (i) www.dataprotection.gov.mt – the website of the Office of the Data Protection Commissioner provides general information about the legislation which regulates the processing of Data Protection, with specific emphasis on the principles of Data Protection. There is however no specific mention of the dangers, consequences and/or safeguards against incidents of ID Theft. The website provides a few FAQs to assist users and furthermore provides a Complaints Form which can be downloaded and sent to the Office of the DP Commissioner by conventional mail or by hand with the purpose of requesting the Commissioner to investigate the case. The Data Protection Commissioner may order the blocking, erasure or destruction of data, to impose a temporary or definitive ban on processing, or to warn or admonish the controller and may in addition, enforce the provisions of the Act and in cases of violation, may impose administrative fines or institute court proceedings. 422 RAND Europe (ii) National Profiles www.mca.org.mt – the website of the Malta Communications Authority which includes some information on Internet trading and the most common threats faced including fraud, Botnets, ID theft etc. Personal assessment of the framework for combating ID theft Generally, the Maltese legislative framework is broad enough to permit incidents of ID Theft to be prosecuted in Malta as the Malta Police Force Cyber Crime Unit (and possibly the Office of the Data Protection Commissioner) will normally prosecute such a crime under another specific offence in terms of law. Indeed, the practical and technical difficulties to follow up and investigate such incidents, to collect evidence and to take action in such cases are several and undoubtedly the cross-border nature of such crimes remains one of the major obstacles related to their successful prosecution. Nevertheless, from a legislative point of view, we note that it may be worth considering the possibility of enacting a specific legislation which would broadly define ‘ID Theft’ as a sui generis offence. The reason for this is that prosecuting such an offence should no longer necessarily require the re-moulding of an already-existing offence and for instance the offence of ID Theft in fraud-related incidents should not necessarily require an element of gain to have been made. Perhaps different degrees of sanctions should also apply depending on the type of ID Theft carried out, the means used to do so and the result of such ID Theft. On a separate note we are of the opinion that increased efforts are required to educate Maltese Internet users (especially consumers and children) of the possible dangers which may exist online with respect to Identity Theft. Indeed we note that the Cyber Crime Unit does invest substantial effort and resources in providing information campaigns about security on the net especially in schools (for instance last year the Unit gave presentations in over 50 schools, which presentations would have included guidance on ID Theft). However at present there appears to be no online tool which serves to provide clear, userfriendly information to such Internet users and thus the execution of an ongoing online campaign is recommended. 423 RAND Europe National Profiles The Netherlands Applicable laws Laws focusing explicitly on ID theft No legislation has been introduced in the Netherlands that focuses explicitly on ID theft as a specific crime, or that defines such a crime. In practice, ID theft incidents are combated using the general provisions below (in relation to personal data protection, fraud, forgery, hacking etc.). ID theft is also an instrument for harassing or stalking. The first is, as such, not covered by law; however, stalking legislation is available in the Netherlands and may be used to cover some ID theft cases. Examples of stalking cases with an ID theft component include cases like ordering products or subscriptions using the identity of other persons. In these cases, victims go through considerable stress and effort to undo all the offendor’s actions, while the offendor himself has no material benefits. These cases of ID theft occur often, are usually the result of divorces and are hard to stop. No such legislation is currently under consideration to our knowledge. Instead, the policy emphasis in the Netherlands is more on improving awareness of ID theft risks with potential victims and law enforcement bodies. Other laws that may apply to ID theft incidents Data protection laws Relevant law Law of 6 July 2000 protecting personal data (Wet houdende regels inzake bescherming van persoongegevens) Reference See http://wetten.overheid.nl/BWBR0011468/ Main provisions provisions in As under the Data Protection Directive 95/46/EC, ID theft relation to ID theft incidents will typically constitute unlawful processing, as it will violate legitimacy requirements (article 8), proportionality obligations and the purpose restriction (articles 9 and 11), transparency obligations (articles 33-34), security obligations (article 13) and formal obligations such as the prior notification to the Dutch Privacy Agency (dpa) (article 27). Prescribed sanction Apart from damages that the victim may receive in a civil proceedings, the violations above can also be criminally sanctioned with fines of maximum 19.000 EUR or by imprisonment of maximum 6 months. 424 RAND Europe National Profiles Data protection laws – Telecommunication providers Relevant law Law of 19 October 1998 on telecommunication (Wet houdende regels inzake telecommunicatie) Reference See http://wetten.overheid.nl/BWBR0009950 Main provisions in This Act declares the law regarding protection of personal data relation to ID theft applicable for telecommunication providers. More specifically article 6.1 of this Act forbids the exchange of acquired and recorded personal data to a third party and articles 11.2 and 11.3 of this Act impose the protection of personal data by all means including technical and organizational measures. Prescribed sanction Apart from damages that the victim may receive in a civil proceedings violations can be sanctioned by OPTA (‘onafhankelijke Post en Telecommunicatie Autoriteit’) with fines of up to 450.000 EUR depending on the seriousness of the offence. Communications secrecy laws – contents of electronic communication Relevant law Criminal Code (Wetboek van Strafrecht) Reference See http://wetten.overheid.nl/BWBR0001854/TweedeBoek/ Main provisions in Articles 139c, 139d and 139e forbid the following acts: relation to ID theft • Using any device to record or intercepts private data during transfer by electronic means without the consent of all participants (article 139c); • Using any device to record or listen to or intercept a private conversation, telecommunication or other data during transfer by electronic means without the consent of all participants (article 139d §1); • Deploying any device with a view of committing this crime (article 139d §2); • Keeping or unlawfully using (including revealing) any recordings made in violation of the provision above (article 139e). This would apply to any ID theft incidents involving the recording of electronic communications. Prescribed sanction Apart from damages that the victim may receive in a civil proceedings: • Violations of article 139c can be criminally sanctioned with fines of maximum 19.000 EUR or imprisonment of 425 RAND Europe National Profiles Fraud Relevant law Criminal Code (Wetboek van Strafrecht) Reference Reference See http://wetten.overheid.nl/BWBR0001854/TweedeBoek/ Main provisions in Fraud in general is punished by Article 326 of the Criminal relation to ID theft Code. This article sanctions any act of using deception (including use of false names or titles, or any other type of deceptive manipulation or abuse of good faith or credulity) with a view of appropriating someone else’s property. This would apply to any ID theft incidents involving the use of a falsified identity to appropriate property. Prescribed Prescribed sanction Apart from damages that the victim may receive in a civil proceedings, violations of article 326 can be criminally sanctioned with fines of maximum 76.000 EUR or by maximum imprisonment of 4 years. If the fraud has been perpetrated to prepare or help a terrorist activity the imprisonment sanction is increased with one-third of the sentence. maximum 1 year. • Violations of article 139d can be criminally sanctioned with fines of maximum 19.000 EUR or imprisonment of maximum 1 year. • Violations of article 139e can be criminally sanctioned with fines of maximum 19.000 EUR or imprisonment of maximum 6 months. Forgery with respect to identity (ie, (ie, falsifying identities on a document) Relevant law Criminal Code (Wetboek van Strafrecht) Reference See http://wetten.overheid.nl/BWBR0001854/TweedeBoek/ Main provisions in Forgery is punished by Article 225 of the Criminal Code, relation to ID theft including particularly: • Art. 225: forgeries on documents destined as proof of any kind, to be used as true is punishable; 426 RAND Europe National Profiles There is a specific penalisation of forgery of payment cards, article 232 of the Criminal Code, including particularly: • Prescribed sanction Art. 232: forgeries on payment cards or any other publicly available carrier of identity information used to perform a payment by electronic means or the use thereof knowing the forgery; Apart from damages that the victim may receive in a civil proceedings: • Violations of article 255 can be criminally sanctioned with a fee of maximum 76.000 EUR or imprisonment maximum 6 years. • Violations of article 232 can be criminally sanctioned with a fee of maximum 76.000 EUR or imprisonment maximum 6 years. Cybercrime - illegal access to information systems (hacking) Relevant law Criminal Code (Wetboek van Strafrecht) Reference Reference See http://wetten.overheid.nl/BWBR0001854/TweedeBoek/ Main provisions in Illegal access to information systems is punished by Article 138a relation to ID theft of the Criminal Code, including particularly: • §1: accessing an information system without authorisation, by (a) breaking security (b) technical operation (c) using false signals or a false key or (d) assuming a false identity; • §2: keeping, processing, revealing or otherwise using data obtained from a hacked system. • §3: using a public telecommunication network and uses processing capacity or hacks on to a third computer The misuse of devices or access codes, with the intent to commit computer sabotage and to commit aggravated hacking is punished by Article 161 sexies (2) of the Criminal Code. This would apply to any ID theft incidents involving the use of false credentials to gain unauthorized access to an information system, or to steal credentials from such a system. Prescribed sanction Apart from damages that the victim may receive in a civil proceedings • Violations of article 138a can be criminally sanctioned with fines of maximum 76.000 EUR or by maximum 427 RAND Europe National Profiles imprisonment of 4 years. If the fraud has been perpetrated to prepare or help a terrorist activity the imprisonment sanction is increased with one-third of the sentence. • Violations of article 161 sexies (2) can be criminally punished with fines of maximum 76.000 EUR or by maximum imprisonment of 1 year. Cybercrime – illegal data interference Relevant law Criminal Code (Wetboek van Strafrecht) Reference See http://wetten.overheid.nl/BWBR0001854/TweedeBoek/ Main provisions in Illegal data interference is punished by Article 350a and 350b of relation to ID theft the Criminal Code, including particularly: When committed with deceptive intent or intent to cause harm (article 350a Criminal Code): • §1: entering, changing or deleting information in an information system without authorisation or altering its normal use by any technical means; • §2: causing serious damage to the data in an information system as a result of committing the crime in §1 by using a public telecommunications network; (impeding the correct functioning of an information system as a result of committing the crime qualifies as serious damage, Hoge Raad 19 January 1999); • §3: providing or distributing any data which was primarily delivered to commit the aforementioned crimes, knowing that these could be used to damage data of an information system; • §4: not punishable is the crime as described in §3 if done with the intent to minimize the damage. When committed with negligence/non-intentional (article 350b Criminal Code): • §1: entering, changing or deleting information in an information system without authorisation or altering its normal use by any technical means if causing serious damage; • §2: providing or distributing any data which could be used to damage data of an information system. This would apply to any ID theft incidents involving the 428 RAND Europe National Profiles falsifying of identity information stored in an information system. Prescribed sanction Apart from damages that the victim may receive in a civil proceedings: When committed with deceptive intent or intent to cause harm (article 350a Criminal Code): • Violations of §1 can be criminally sanctioned with fines of maximum 19.000 EUR or imprisonment maximum 2 years. • Violations of §2 can be criminally sanctioned with fines of maximum 19.000 EUR or imprisonment maximum 4 years. • Violations of §3 can be criminally sanctioned with fines of maximum 76.000 EUR or imprisonment maximum 4 years. When committed with negligence/non-intentional (article 350b Criminal Code): • Violations of §1 can be criminally sanctioned with fines of maximum 3.800 EUR or imprisonment maximum 1 month. • Violations of §2 can be criminally sanctioned with fines of maximum 3.800 EUR or imprisonment maximum 1 month. Cybercrime – computercomputer-related forgery Relevant law Criminal Code (Wetboek van Strafrecht) Reference See http://wetten.overheid.nl/BWBR0001854/TweedeBoek/ Main provisions in No specific penalisation exists for cyber-forgery. Forgery is relation to ID theft punished by Article 225 of the Criminal Code, including particularly: • Art. 225: forgeries on documents destined as proof of any kind, to be used as true is punishable; The term ‘writing’ has been interpreted in case law as covering computer files (Hoge Raad 15 January 1991, Nederlands Jurisprudentie 1991, 68) Prescribed sanction Apart from damages that the victim may receive in a civil proceedings violations of article 255 can be criminally sanctioned with a fee of maximum 76.000 EUR or imprisonment maximum 429 RAND Europe National Profiles 6 years. Cybercrime – computercomputer-related fraud Relevant law Criminal Code (Wetboek van Strafrecht) Reference See http://wetten.overheid.nl/BWBR0001854/TweedeBoek/ Main provisions in No specific penalisation exists for e-fraud. Fraud in general is relation to ID theft punished by Article 326 of the Criminal Code. This article sanctions any act of using deception (including use of false names or titles, or any other type of deceptive manipulation or abuse of good faith or credulity) with a view of appropriating someone else’s property. This would apply to any ID theft incidents involving the use of a falsified identity to appropriate property. Prescribed sanction Apart from damages that the victim may receive in a civil proceedings, violations of article 326 can be criminally sanctioned with fines of maximum 76.000 EUR or by maximum imprisonment of 4 years. If the fraud has been perpetrated to prepare or help a terrorist activity the imprisonment sanction is increased with one-third of the sentence. Application in practice In the sections below, we will examine if/how these regulations are applied in practice, including the identification of any known case law and resulting sanctions. Claiming a false identity onon-line (eg, (eg, creating an account on a social networking site such as Facebook under someone else’s name) Applicable law(s) Such an incident would likely involve: - violation of data protection laws, since personal data of the victim would likely be unlawfully processed to make the false identity believable (eg, publication of the victim's name, address, photo, etc.); - violation of communication secrecy laws, if the false profile results in messages being sent to the false profile which were intended for the real recipient; - forgery, if the forgery changed the legal impact of the information; - fraud, if the false identity was used to unlawfully appropriate property. Case law available? 1. Dutch celebrities have been confronted with unauthorized fake 430 RAND Europe National Profiles profiles on social network sites. The people behind these profiles were acting like they were the real person, answering questions and making statements. 2. ID theft has occurred in swindling cases, using fake identities by creating a free email address (gmail, live, hotmail etc) with the victim’s name. These email addresses were used to support the purchase of mobile phone subscriptions, harassing and swindling through e-Bay or its Dutch competitor Marktplaats. Unlawfully using another person’s credentials (eg, (eg, using someone else’s username or password to send emails emails in his/her name) Applicable law(s) Most of the qualifications above could apply, depending on how the credentials were used: - violation of the data protection act, since the credentials are likely to be considered personal data which is being unlawfully processed; - violation of communication secrecy laws, if use of the credentials can be qualified as unlawful access to data related to electronic communication (eg, to make bank transfers); - fraud, if falsified messages were sent to unlawfully appropriate property; - illegal access to information systems, if the credentials were used to access a system without authorisation. Case law available? Some instances of such behaviour have been seen in harassment cases, usually during/after divorces. However, these do not necessarily result in criminal prosecution. Some swindling cases have also involved the unlawful use of another person’s credentials (although it is not always clear how the offender got the credentials). Phishing (using emails emails and/or falsified websites to trick users into giving up identity information eg, to collect enough information to log on to someone else’s bank account) Applicable law(s) The most likely qualifications would be: - fraud, since the use of email or websites to trick users into giving up identity information; - forgery, if falsified messages were sent to unlawfully appropriate 431 RAND Europe National Profiles property. Case law available? Yes, for example the case of the Amsterdam Court of 28 May 2003 regarding a Nigerian scam where people were tricked by email. The suspect was convicted for money laundering, involvement in a criminal organization, fraud, forgery and possession of forged travel documents to a fine of 411.440 EUR and 4 years and six months of imprisonment. A copy of the decision can be found here : http://zoeken.rechtspraak.nl/resultpage.aspx?snelzoeken=true&sea rchtype=ljn&ljn=AF9286&u_ljn=AF9286 Nigerian scams in the form of Spanish lotteries, FBI emails etc are known in the practice of the Dutch CMI. Using falsified identity documents (identity cards, social security cards or passports) to unlawfully apply for social benefits Applicable law(s) The most likely qualifications would be: - fraud, since the use of a false document would be considered a deception with a view of unlawfully appropriating tax payer money; - forgery; - violation of the appropriate social security law (which would depend on the context. Case law available? Very few cases are known; the Ministry of Social Affairs and Employment states that it does not occur frequently since it is much easier to use authentic identity documents to obtain social benefits and then work undeclared instead of using falsifying documents. In rare instances, a new digital ID is created for public services (the process of getting these IDs is time consuming). All these ID fraud cases were used for getting unlawful tax benefits by changing bank account number registrations and ‘adding’ some extra children or reducing income. eg, selling databases of Trafficking in unlawfully obtained personal information ((eg, email addresses to email marketeers) Applicable law(s) The act of trafficking in unlawfully obtained information would likely be: - a violation of the data protection act, since the personal information would be unlawfully processed; 432 RAND Europe National Profiles - a violation of communication secrecy laws, if the personal information contained data related to electronic communication (like email addresses, IP addresses, etc.). Case law available? No known case law; however the Dutch CMI frequently receives reports of a well known practice consisting of the selling/distributing of copies of ID documents to criminal organizations. Copies are obtained from places where people are required to leave a copy, such as hotels, car rental companies, employment agencies etc. ID document copies are used in private sector branches where controls are weak, such as telecom subscriptions or online retail. No other notable case law has been identified. ID theft reporting mechanisms CMI: reporting site CMI, the Central Reporting and Information Point for Identity fraud and Identity errors (Centraal Melden Informatiepunt Identiteitsfraude en –fouten http://www.overheid.nl/identiteitsfraude) is an initiative of the Dutch government. The purpose is to assist and advice citizens confronted with identity fraud or mistakes in the registration of personal data. Victims usually face several issues: 1. repairing damage or loss and/or getting rid of misled creditors; 2. finding the offender and the cause of the ID fraud; 3. preventing further damage; 4. correcting errors in private and public databases as a result of the fraud. CMI assists victims with all these issues. Once a victim becomes aware of or suspects identity fraud, CMI assesses the victim’s situation and advises on the necessary steps to be taken. In general, victims note their relief to find someone able to give them down to earth advice, showing them a way out of the unclear and messy situation they are in. Victims are (when applicable) encouraged to report the fraud to the police, enabling CMI partners to check the police’s efforts in the case. The police stays responsible for finding offenders (issue 2). CMI has an advisory role in helping the victim with issues 1 and 3, since these are issues the victims have to do themselves. On the other hand, CMI partners may conduct additional research to support the victim’s efforts. CMI also works on correcting errors in government databases, wether they are a result of fraud or have other causes. This service is also open for businesses and other organizations. 433 RAND Europe National Profiles CMI has a memorandum of agreement with all public authorities involved in identity management. CMI transfers cases to the appropriate partners in this network and ensures follow-up of the ID fraud cases. Partners include police, military police, ministries of Justice and Interior, immigration authority and public prosecutor. The CMI website provides information with regard to prevention of abuse, warning signs that can indicate abuse and an extensive FAQ-list. Inquiries can be made via a contact sheet that will be answered by email within two business days. From January 2011, online contact sheets will be available. The CMI frontoffice is also available by phone. Within three business days after receiving a complaint CMI will contact the victim. After three weeks a progress report will be provided; this will continue to be done for as long as the case is not resolved, as solving cases requires regular contact with the victims. Other sites Apart from CMI, several other sites play a mainly informative role with respect to ID theft, including notably: • GOVCERT.NL (http://www.govcert.nl/) is the Computer Emergency Response Team for the Dutch Government. Since 2002 they support the government in preventing and dealing with ICT-related security incidents; such as the coordination in case of ICT-related incidents and proactive action to prevent or to prepare for such incidents and reduce the impact. GOVCERT.NL focuses on four main areas: monitoring, knowledge exchange, prevention and incident handling. GOVCERT.NL also provides alerts and practical advice to the public and small enterprises via the National Alerting Service Waarschuwingsdienst.nl (http://www.waarschuwingsdienst.nl); such as warnings regarding IT security related incidents by email or sms alerts and awareness raising animation videos. Incident response provides 24/7 availability to coordinate recovery from incidents and consists of expertise, tools and other capabilities to act, analyse and communicate with stakeholders and media. This website contains contact information which allows citizens to contact COVCERT.NL directly. • Safecin, the Foundation Addressing Financial-Economic Crime in the Netherlands (Stichting Aanpak Financieel-Economische Criminaliteit in Nederland), provides a website called Fraudemeldpunt.nl (http://www.fraudemeldpunt.nl) that specializes in combating advertising and acquisition fraud. Safecin provides explanations and tips on how to spot and avoid fraud as well as legal advice if need be. Organizations can report advertising and acquisition fraud via the website which they witnessed or became victim of. The organization that witnessed a fraud can fill out a detailed reporting form to help the authorities with the investigation. The victim of a fraud can file a complaint which Safecin will direct to the competent authorities so criminal proceedings can be launched. 434 RAND Europe National Profiles • Digivaardig&Digibewust (http://www.digivaardigdigibewust.nl/) is a national information website regarding use of the Internet, email and other digital applications. It mainly provides information on how to surf safely on the net and avoid cyber-fraud. It is the successor to the earlier Surf op Safe website. • Veilig Internetten (www.veiliginternetten.nl) is a media campaign to promote safe use of Internet, including ID theft.The campaign works in close cooperation with the aforementioned programme ‘Digivaardig&Digibewust’ and with CMI. • ID-Check (http://www.idchecker.nl) is a commercial service that allows the verification of the authenticity of identity documents (ID cards, drivers licenses and passports). Users can scan these and send the PDF scans to the website. The site operators verify the documents and report their findings using a standardised report. • Expertcentre Identity fraud and documents (ECID) is a joint centre of expertise from the police and the military police.ECID services include a free helpdesk for public and private parties (both in and outside the Netherlands) who need an advanced check on ID documents. (http://www.defensie.nl/marechaussee/service/expertisecentra/expertisecentrum_id entiteitsfraude/) Personal assessment of the framework for combating ID theft Globally, it seems that the legal framework for combating ID theft incidents in the Netherlands is sufficiently comprehensive, as there do not appear to be any examples of ID theft incidents which are not covered under present legislation. As noted above however, harassment as such (absent of stalking) is not covered by law, even though some instances of ID theft may lead to harassment. It is currently being evaluated whether ID theft in this perspective can be effectively dealt with through stalking legislation. The establishment of a reporting site for reporting ID fraud in general (the aforementioned CMI portal) can be considered a positive development. Also, starting April 2010 the Netherlands have organized a Knowledge centre Cybercrime located at the court house’sGravenhage (‘Kenniscentrum Cybercrime’ ). This centre will record all case law regarding cybercrime and will supply the judges and clerks with any practical and judicial information on cybercrime they may require in order to perform their duty. Based on CMI working experience, the main challenge is involving the private sector: • The vast majority of identity fraud occurs in the private sector (banks, telecom and online retail especially). • Businesses have little incentive for decent ID checks. There is a trade-off between less fraud (and better ID checks) and more sales (less barriers for
© Copyright 2024 Paperzz